redline | hxxp://universe-city[.]io

Analysis

max time kernel
1099s
max time network
1092s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
30-11-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://universe-city.io

Score

10^/10

redline microsoft discovery evasion infostealer persistence phishing spyware stealer trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/504-635-0x0000000003140000-0x000000000318E000-memory.dmp	family_redline
behavioral1/memory/504-642-0x00000000054E0000-0x000000000552A000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

UniverseCity.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UniverseCity.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UniverseCity.exe

Executes dropped EXE 7 IoCs

Processes:

Launcher.exewindowsdesktop-runtime-6.0.11-win-x64.exewindowsdesktop-runtime-6.0.11-win-x64.exewindowsdesktop-runtime-6.0.11-win-x64.exeLauncher.exeUniverseCity.exeChromeRecovery.exe

pid	process
2196	Launcher.exe
3668	windowsdesktop-runtime-6.0.11-win-x64.exe
2044	windowsdesktop-runtime-6.0.11-win-x64.exe
2792	windowsdesktop-runtime-6.0.11-win-x64.exe
1544	Launcher.exe
504	UniverseCity.exe
1948	ChromeRecovery.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UniverseCity.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UniverseCity.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UniverseCity.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation	Launcher.exe

Loads dropped DLL 64 IoCs

Processes:

windowsdesktop-runtime-6.0.11-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeLauncher.exe

pid	process
2044	windowsdesktop-runtime-6.0.11-win-x64.exe
4944	MsiExec.exe
4944	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
3728	MsiExec.exe
3728	MsiExec.exe
4172	MsiExec.exe
4172	MsiExec.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe
1544	Launcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windowsdesktop-runtime-6.0.11-win-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-6.0.11-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c4846f79-a633-4ae4-92a3-92fdbeb33da2} = "\"C:\\ProgramData\\Package Cache\\{c4846f79-a633-4ae4-92a3-92fdbeb33da2}\\windowsdesktop-runtime-6.0.11-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.11-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

UniverseCity.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UniverseCity.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UniverseCity.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

UniverseCity.exe

pid process

504 UniverseCity.exe

pid	process
504	UniverseCity.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\System.IO.Packaging.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\ko\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\pl\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Runtime.Handles.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\de\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\pl\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\de\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\PresentationFramework-SystemXml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\pt-BR\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\pl\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\fr\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Text.RegularExpressions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Text.Encoding.CodePages.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Net.Ping.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Security.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Data.Common.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Threading.Thread.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Private.Uri.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\it\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.IO.Compression.FileSystem.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hant\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\es\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hant\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hans\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\cs\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hans\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\es\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\api-ms-win-core-fibers-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Net.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.ComponentModel.Annotations.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\Microsoft.Win32.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\it\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Windows.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\System.Drawing.Common.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\es\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\PresentationFramework.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\es\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\es\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Numerics.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\ko\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\it\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.ComponentModel.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Transactions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hans\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\Microsoft.WindowsDesktop.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Net.WebClient.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hans\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hant\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\System.Windows.Input.Manipulations.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\PresentationFramework.AeroLite.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\System.Diagnostics.EventLog.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.11\System.IO.UnmanagedMemoryStream.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\System.Windows.Forms.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\zh-Hant\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.11\it\PresentationCore.resources.dll	msiexec.exe

Drops file in Windows directory 34 IoCs

Processes:

MicrosoftEdge.exemsiexec.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5909a7.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI2CF6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59099f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DB5.tmp	msiexec.exe
File created	C:\Windows\Installer\e5909a7.msi	msiexec.exe
File created	C:\Windows\Installer\e5909aa.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B92B890A-04F2-4880-BA20-20D4364FB263}	msiexec.exe
File created	C:\Windows\Installer\e5909a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F9C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A39D4115-3A27-4245-AE92-3214B8B21932}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D34.tmp	msiexec.exe
File created	C:\Windows\Installer\e59099e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI344A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A0D.tmp	msiexec.exe
File created	C:\Windows\Installer\e59099b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59099b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C3DD1448-513A-4DB8-978D-6991562EA63D}	msiexec.exe
File created	C:\Windows\Installer\e59099f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5E63E49B-C88C-46C5-855C-A7B07C11CDC8}	msiexec.exe
File created	C:\Windows\Installer\e5909a2.msi	msiexec.exe
File created	C:\Windows\Installer\e5909a3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI721C.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1061.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5909a3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5606.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exewindowsdesktop-runtime-6.0.11-win-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.47.50420_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A098B29B2F400884AB02024D63F42B36\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.47.50419_x64\ = "{A39D4115-3A27-4245-AE92-3214B8B21932}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5114D93A72A35424EA2923418B2B9123\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{D87FC005-CECE-4461-AE9E-F2E37E2654 = b9666b0dcc04d901	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{65D5EC31-C1FE-4ACF-B22C-F3D854AAF7AA} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8441DD3CA3158BD479D8961965E26AD3\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A098B29B2F400884AB02024D63F42B36\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A098B29B2F400884AB02024D63F42B36\Version = "808436980"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{433E8BA1-F039-4D4A-BBD8-E244A105D950}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.47.50420_x64\Version = "48.47.50420"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000bc5b24698e7b4b800e28c3fe81fec45244e7f45602e974bebbafb58d91f7e0a8044c06aeb5ca508690da3143a4301b7d4206054df21e8f8af1c8	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5114D93A72A35424EA2923418B2B9123\PackageCode = "7E24F763138E64649986090F8F760614"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8441DD3CA3158BD479D8961965E26AD3\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8441DD3CA3158BD479D8961965E26AD3\SourceList\PackageName = "dotnet-runtime-6.0.11-win-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A098B29B2F400884AB02024D63F42B36\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotnet.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B94E36E5C88C5C6458C57A0BC711DC8C\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4419E120B9C5C90451BADB4C866D9EB7	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A098B29B2F400884AB02024D63F42B36	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3e5230ffcb04d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8441DD3CA3158BD479D8961965E26AD3\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B94E36E5C88C5C6458C57A0BC711DC8C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.47.50419_x64\Dependents	windowsdesktop-runtime-6.0.11-win-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8c8ea213cc04d901	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c4846f79-a633-4ae4-92a3-92fdbeb33da2}\Version = "6.0.11.31823"	windowsdesktop-runtime-6.0.11-win-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{D87FC005-CECE-4461-AE9E-F2E37E2654	browser_broker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A098B29B2F400884AB02024D63F42B36\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000006f5b79cc770851e9e5dcd4e3a0ca9877e7be0e8f18ae577a747cace52a3d8f95ec76c303c856a203fa11cd952dcd9b99b8d628da660784826a916e1b819ee4e88872ec8be0026ecb702fab727615376e1e1f41fe1bcdc87b745f1b1ab6d483dca5ef6dcd4b2b46e3d8d51df6f8c18956db38f5613220ff972d864c193c006d670f8ec11996f0cec601a58698c0f3ac6683c312203a20167e7ca6093ee3404cbf36edf0c45073fb77123d12bcbeca799c185fef6807edd624ce5e0f1488b5c60168adc94f8bd26502e63e252d36662e6292ab09f40ca7d078c850f59025807516b66e95a36c2f15ca7b49832f5de703643a494386526e65d5cd1b42ac5cbf1ceeafd0b65ab6a806ada1fcfe1e946c2bb553d8e07f6062124f9a5feb87d393ab11f973d61c575f3df46ef91c66cb17a042a6f7d68011a30ecafcbc1d228f1ca07cc0f73108fb723b1102de5643110786981048fc1d3e5164e4f7d26da2477be3c901fde62d0103a531944c3111435c84f77e6a0c9d178c15aa1f41f1270ece2baf3c235119a330c89f22e417287d3632b8c1fce7cf7474db250deaa76ef2791cb93262514b6d7f	MicrosoftEdge.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe.s2hs8ta.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsiexec.exeUniverseCity.exechrome.exe

pid	process
4476	chrome.exe
4476	chrome.exe
2744	chrome.exe
2744	chrome.exe
4144	chrome.exe
4144	chrome.exe
4172	chrome.exe
4172	chrome.exe
4948	chrome.exe
4948	chrome.exe
1924	chrome.exe
1924	chrome.exe
4980	chrome.exe
4980	chrome.exe
1232	chrome.exe
1232	chrome.exe
2744	chrome.exe
2744	chrome.exe
2044	chrome.exe
2044	chrome.exe
2084	chrome.exe
2084	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
4320	msiexec.exe
504	UniverseCity.exe
504	UniverseCity.exe
504	UniverseCity.exe
504	UniverseCity.exe
3860	chrome.exe
3860	chrome.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4620 MicrosoftEdgeCP.exe
4620 MicrosoftEdgeCP.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2744 chrome.exe
2744 chrome.exe
2744 chrome.exe
2744 chrome.exe
2744 chrome.exe
2744 chrome.exe

pid	process
4620	MicrosoftEdgeCP.exe
4620	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exewindowsdesktop-runtime-6.0.11-win-x64.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3620	MicrosoftEdge.exe
Token: SeDebugPrivilege	3620	MicrosoftEdge.exe
Token: SeDebugPrivilege	3620	MicrosoftEdge.exe
Token: SeDebugPrivilege	3620	MicrosoftEdge.exe
Token: SeDebugPrivilege	3168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3168	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4784	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3620	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSecurityPrivilege	4320	msiexec.exe
Token: SeCreateTokenPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeLockMemoryPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeMachineAccountPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeTcbPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSecurityPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeTakeOwnershipPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeLoadDriverPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSystemProfilePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSystemtimePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeProfSingleProcessPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeIncBasePriorityPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeCreatePagefilePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeCreatePermanentPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeBackupPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeRestorePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeShutdownPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeDebugPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeAuditPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSystemEnvironmentPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeChangeNotifyPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeRemoteShutdownPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeUndockPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeSyncAgentPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeEnableDelegationPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeManageVolumePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeImpersonatePrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeCreateGlobalPrivilege	2792	windowsdesktop-runtime-6.0.11-win-x64.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe
Token: SeTakeOwnershipPrivilege	4320	msiexec.exe
Token: SeRestorePrivilege	4320	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3620 MicrosoftEdge.exe
4620 MicrosoftEdgeCP.exe
4620 MicrosoftEdgeCP.exe

pid	process
3620	MicrosoftEdge.exe
4620	MicrosoftEdgeCP.exe
4620	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2744 wrote to memory of 2776	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 2776	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4472	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4476	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 4476	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe
PID 2744 wrote to memory of 3564	2744	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://universe-city.io
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffccc014f50,0x7ffccc014f60,0x7ffccc014f70
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:8
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:8
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:8
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
PID:420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1456 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:8
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:8
2⤵
PID:2088

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4160 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:8
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
2⤵
PID:3304

C:\Users\Admin\Downloads\Launcher.exe
"C:\Users\Admin\Downloads\Launcher.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Users\Admin\Downloads\UniverseCity.exe
"C:\Users\Admin\Downloads\UniverseCity.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1368 /prefetch:8
2⤵
PID:348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=864 /prefetch:8
2⤵
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,5663721796954326047,12892509551562769064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:4136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:4024

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe"
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\Temp\{3D04CB53-8380-4C70-9E3F-BA328B8C56EC}\.cr\windowsdesktop-runtime-6.0.11-win-x64.exe
"C:\Windows\Temp\{3D04CB53-8380-4C70-9E3F-BA328B8C56EC}\.cr\windowsdesktop-runtime-6.0.11-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044

C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\.be\windowsdesktop-runtime-6.0.11-win-x64.exe
"C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\.be\windowsdesktop-runtime-6.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{429C5A02-2B41-4086-B503-2161B7EC4D9F} {D1EA8C61-FF02-409C-841E-B520BEB62F19} 2044
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FB64B3816FB5FC5B91D50C468800865D
2⤵
- Loads dropped DLL
PID:4944

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1BBE11EC96557F681B4289E6F49787B3
2⤵
- Loads dropped DLL
PID:1564

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 27C90E323C0ABCB639AA17408AA27294
2⤵
- Loads dropped DLL
PID:3728

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C5A019528C892D42A4E4FBA8A05B9342
2⤵
- Loads dropped DLL
PID:4172

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
PID:4616

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4616_263675363\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4616_263675363\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={6b993ea5-2ac5-4fec-8df3-6e7f1d45cbbd} --system
2⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
54.6MB

MD5
31d5495a920e58008c9435370f3fa3b2

SHA1
b9e3ab8e3048170d9e3eabf6761d423eb4c93c6d

SHA256
c650a0969049c26a2f7b302eb1e6c9bfcc2cfe4133c40ec8497af29b453c177d

SHA512
37bef9107a069edd977c135fc54bf84f1b46862ef2636caeb9c7ddd9f53627f83cb69d6ecf79cb640d7979c7ebe80c03b1222c6c52d7a991e6c399c91fe902c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
54.6MB

MD5
31d5495a920e58008c9435370f3fa3b2

SHA1
b9e3ab8e3048170d9e3eabf6761d423eb4c93c6d

SHA256
c650a0969049c26a2f7b302eb1e6c9bfcc2cfe4133c40ec8497af29b453c177d

SHA512
37bef9107a069edd977c135fc54bf84f1b46862ef2636caeb9c7ddd9f53627f83cb69d6ecf79cb640d7979c7ebe80c03b1222c6c52d7a991e6c399c91fe902c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-6.0.11-win-x64.exe.s2hs8ta.partial
Filesize
54.6MB

MD5
31d5495a920e58008c9435370f3fa3b2

SHA1
b9e3ab8e3048170d9e3eabf6761d423eb4c93c6d

SHA256
c650a0969049c26a2f7b302eb1e6c9bfcc2cfe4133c40ec8497af29b453c177d

SHA512
37bef9107a069edd977c135fc54bf84f1b46862ef2636caeb9c7ddd9f53627f83cb69d6ecf79cb640d7979c7ebe80c03b1222c6c52d7a991e6c399c91fe902c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\L975L9YF\windowsdesktop-runtime-6.0.11-win-x64[1].exe
Filesize
7.0MB

MD5
5fe53fc2e97f8ef5dca673de81684c8d

SHA1
80f534bb4e36fc1a3db1788d5ffc1fbd4924c5d7

SHA256
0c9f233d2f99955deb6b4c4495b2481c9087ad8b0f86a6edd949ea8fa50578c1

SHA512
38433f17877955c6aed59e70fae7142fe699a00bcbd90db3b6b370747675f623bb3cf92e2d8e5b0fb76ddcb959cbc8129799cd7413bbad5f4a2545e6af78009c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.11_(x64)_20221130145732_000_dotnet_runtime_6.0.11_win_x64.msi.log
Filesize
2KB

MD5
3ced32aa915916dcab80dd9f11d638c0

SHA1
eeb8d9783f246818135d7b6437ba4c8ab6e7d4a5

SHA256
a27711f1bd6958672cc8dea9fde992956a1505889e2409aee27179905a1a5c7d

SHA512
f73e7354529847ca1bdebbf5fd8bf423ab9f476f9c6b57e86083d8ff696a33575772b0c20c1ff6c60a10c0faae157a6a12d3b45f5384ebe9922c421957383f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.11_(x64)_20221130145732_001_dotnet_hostfxr_6.0.11_win_x64.msi.log
Filesize
2KB

MD5
b76a1a060048df242603fd9a1ceea4bb

SHA1
d94ebd1503b8499d3b792b43f2b1a3868d0f9a87

SHA256
5d0787228be846bb67a8f19b2ea1f689b6f0f978532f1afb817d17fab69a2d01

SHA512
5b1fecaea780c6447a04e3d43ee1c08f28c9656bb251c5fcf727326f253554a3cc9384771da2aed298f13de96e4eb4b9095532576d77171ffa1f0a2c6f2bc2b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.11_(x64)_20221130145732_002_dotnet_host_6.0.11_win_x64.msi.log
Filesize
2KB

MD5
ae3199f3727d46001f1f4676decb80f0

SHA1
7a6338d2c38c82286f1207cedc94de98b7829f37

SHA256
4358ceaf950a40a3a84eae89f2cd3409a9f8b0bc0e2091a2ed7064a03bd12527

SHA512
cbb551f7d4d94fa0f789aee0325f114db4dbca871643944339557fc00d330e90b214cf86f247319e8fbc75402ec1fa7fb7b9ed3acb0db367bcb247315fc15263

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.11_(x64)_20221130145732_003_windowsdesktop_runtime_6.0.11_win_x64.msi.log
Filesize
2KB

MD5
53678f53b720881e06ca14b46894dd1d

SHA1
83be261ec3b61d1fc36a9621caf3dd934da3bbc2

SHA256
61139113ee82328df366977d3e0ed9c5ba128604ab1b47524fe218cb1abd6cca

SHA512
c540a82e0d1b1b644cc794285f42311b33b71d690ab920433064281cfd7a8d6fed7d1f2f0eec87accdf7ed9f150e4d3ed7f678c9dc989f4a9b193747a3decba0

Download Submit
C:\Users\Admin\Downloads\Launcher.exe
Filesize
410.9MB

MD5
dc8429522c9095cd81504b8adb1e336d

SHA1
2ddf1f50d7e5102219a1114485fb90618bcc4388

SHA256
b2f2844db210bdcfbc8512b64e55891fdb068bc588a9f6c758c7439b967065dd

SHA512
d9a8445a5a6f586fc8f80e8757bac44dd7724234099e0ac7d550d6c996b0ff857348c35e6ea1b6187f86e0fb58b246373f358579067cf50a58c35675f71e9d09

Download Submit
C:\Users\Admin\Downloads\Launcher.exe
Filesize
410.9MB

MD5
dc8429522c9095cd81504b8adb1e336d

SHA1
2ddf1f50d7e5102219a1114485fb90618bcc4388

SHA256
b2f2844db210bdcfbc8512b64e55891fdb068bc588a9f6c758c7439b967065dd

SHA512
d9a8445a5a6f586fc8f80e8757bac44dd7724234099e0ac7d550d6c996b0ff857348c35e6ea1b6187f86e0fb58b246373f358579067cf50a58c35675f71e9d09

Download Submit
C:\Windows\Installer\MSI1061.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI2CF6.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI344A.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3B34.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3DB5.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI4A0D.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Temp\{3D04CB53-8380-4C70-9E3F-BA328B8C56EC}\.cr\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
610KB

MD5
182aa2cc4f6911fcfaa64612d77b69b4

SHA1
3601e2c384d6e50d0bf6a9e398431a9dac2f86de

SHA256
c966caa94f8abdccf5bff16cbbe6fc0ff4cba6f25a54dbd61427b9bdc3362b0c

SHA512
788329c230816239fd6a37d37452059cec1bb8adbc5d73f6c2bbd5b065401ab691d706d040e271d9de1f4b318c39b2fa05d4a8a2ea246f3800f4343752fb4c46

Download Submit
C:\Windows\Temp\{3D04CB53-8380-4C70-9E3F-BA328B8C56EC}\.cr\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
610KB

MD5
182aa2cc4f6911fcfaa64612d77b69b4

SHA1
3601e2c384d6e50d0bf6a9e398431a9dac2f86de

SHA256
c966caa94f8abdccf5bff16cbbe6fc0ff4cba6f25a54dbd61427b9bdc3362b0c

SHA512
788329c230816239fd6a37d37452059cec1bb8adbc5d73f6c2bbd5b065401ab691d706d040e271d9de1f4b318c39b2fa05d4a8a2ea246f3800f4343752fb4c46

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\.be\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
610KB

MD5
182aa2cc4f6911fcfaa64612d77b69b4

SHA1
3601e2c384d6e50d0bf6a9e398431a9dac2f86de

SHA256
c966caa94f8abdccf5bff16cbbe6fc0ff4cba6f25a54dbd61427b9bdc3362b0c

SHA512
788329c230816239fd6a37d37452059cec1bb8adbc5d73f6c2bbd5b065401ab691d706d040e271d9de1f4b318c39b2fa05d4a8a2ea246f3800f4343752fb4c46

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\.be\windowsdesktop-runtime-6.0.11-win-x64.exe
Filesize
610KB

MD5
182aa2cc4f6911fcfaa64612d77b69b4

SHA1
3601e2c384d6e50d0bf6a9e398431a9dac2f86de

SHA256
c966caa94f8abdccf5bff16cbbe6fc0ff4cba6f25a54dbd61427b9bdc3362b0c

SHA512
788329c230816239fd6a37d37452059cec1bb8adbc5d73f6c2bbd5b065401ab691d706d040e271d9de1f4b318c39b2fa05d4a8a2ea246f3800f4343752fb4c46

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\dotnet_host_6.0.11_win_x64.msi
Filesize
736KB

MD5
df78dbc61d351dbb76475031caeb8282

SHA1
b39e644c2bd0d6d4bda2dffea9c7bc837e3ab18e

SHA256
30beb8f1117efe41768604687ce06d77e8312145e039b28efcf3d85b67714fc8

SHA512
a70bcb875eee005bd9568c0713ee1770263160329a24af2d0264699a015ec09f4a3e31a6677fc0d5534399ff53a6a824b651687fdcfaf9117f2212c93869e8a6

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\dotnet_hostfxr_6.0.11_win_x64.msi
Filesize
804KB

MD5
dfdc84c97a75d9a569ebf105150a89a5

SHA1
5c71b53e69b36f0b41aec3af2509c2db8588aedc

SHA256
27157e6e11ef5b9b2802bf491969f24c0af8668d174a18b8c0db2f8859304a7d

SHA512
70a1bf49bd34da4d2c46847ca1bb99878e1689e00709f971a0e949112e1bdd7d2a8d22b274f0f36146e68c73435e7371910f44b62b71e363a0857e3e08887a0d

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\dotnet_runtime_6.0.11_win_x64.msi
Filesize
25.6MB

MD5
7ec5d5a579a0f1b6cdaaf1ffcf5b98bf

SHA1
53980ad394d1e53b92cd558fcbd9c50dbd8ba5ba

SHA256
042f6afc5166808216273eb7402f3990f5353f971ebe2ca13cd20cb3b73e40e9

SHA512
57d9aefecc8b11bce098e3c0122789b9997b864daea5f5f358f97bf614e87f6bfabc6fd62e9d7898982756cb4b546813b21ed4bb965d4fb0e58f0dae7c3f2cf0

Download Submit
C:\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\windowsdesktop_runtime_6.0.11_win_x64.msi
Filesize
28.5MB

MD5
3bb02ff9b33323d6942f57db9925fe54

SHA1
f9328024894394cc830b24398b3ba3c883ec1f07

SHA256
c10ef2dbccf27bb0fee95364d8ee41128a278702e2bfef5341f178112595529b

SHA512
32e3881e254a6a35c10b02507c05ec27e9f127d09baa12eb1b5362609c694512c66525a4d36f547b454847a5ba18e56c98fbe17a830350ad3655426e43b8fe8e

Download Submit
\??\pipe\crashpad_2744_EWGXZZKWMPDUTKHI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Installer\MSI1061.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI2CF6.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI344A.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI3B34.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI3DB5.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI4A0D.tmp
Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Temp\{7226E71A-2AA0-4778-8820-27E4036D4C40}\.ba\wixstdba.dll
Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
memory/504-666-0x0000000006CA0000-0x0000000006D16000-memory.dmp

Filesize
472KB

Download
memory/504-668-0x0000000006E10000-0x0000000006FD2000-memory.dmp

Filesize
1.8MB

Download
memory/504-649-0x00000000055E0000-0x000000000561E000-memory.dmp

Filesize
248KB

Download
memory/504-656-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/504-652-0x00000000062D0000-0x000000000631B000-memory.dmp

Filesize
300KB

Download
memory/504-640-0x00000000056B0000-0x0000000005BAE000-memory.dmp

Filesize
5.0MB

Download
memory/504-642-0x00000000054E0000-0x000000000552A000-memory.dmp

Filesize
296KB

Download
memory/504-643-0x0000000005BB0000-0x00000000061B6000-memory.dmp

Filesize
6.0MB

Download
memory/504-645-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/504-646-0x00000000061C0000-0x00000000062CA000-memory.dmp

Filesize
1.0MB

Download
memory/504-624-0x0000000000400000-0x0000000000D6B000-memory.dmp

Filesize
9.4MB

Download
memory/504-677-0x0000000000400000-0x0000000000D6B000-memory.dmp

Filesize
9.4MB

Download
memory/504-635-0x0000000003140000-0x000000000318E000-memory.dmp

Filesize
312KB

Download
memory/504-658-0x00000000064D0000-0x0000000006536000-memory.dmp

Filesize
408KB

Download
memory/504-580-0x0000000000000000-mapping.dmp

Download
memory/504-667-0x0000000006D30000-0x0000000006D4E000-memory.dmp

Filesize
120KB

Download
memory/504-602-0x0000000000400000-0x0000000000D6B000-memory.dmp

Filesize
9.4MB

Download
memory/504-669-0x0000000007030000-0x000000000755C000-memory.dmp

Filesize
5.2MB

Download
memory/1544-555-0x0000000000000000-mapping.dmp

Download
memory/1564-366-0x0000000000000000-mapping.dmp

Download
memory/1948-692-0x0000000000000000-mapping.dmp

Download
memory/2044-184-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-190-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-175-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-179-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-171-0x0000000000000000-mapping.dmp

Download
memory/2044-182-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-183-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-176-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-185-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-181-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-187-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-186-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-188-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-192-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-191-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-189-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-193-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-194-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-195-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-174-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2044-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-121-0x0000000000000000-mapping.dmp

Download
memory/2792-237-0x0000000000000000-mapping.dmp

Download
memory/3168-127-0x0000018B55000000-0x0000018B55002000-memory.dmp

Filesize
8KB

Download
memory/3620-124-0x000001AF8EC20000-0x000001AF8EC30000-memory.dmp

Filesize
64KB

Download
memory/3620-125-0x000001AF8ED20000-0x000001AF8ED30000-memory.dmp

Filesize
64KB

Download
memory/3668-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-137-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-156-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-169-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-153-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-147-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-146-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-145-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-144-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-143-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-141-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-142-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-140-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-139-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-138-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-136-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-134-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-135-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-133-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-132-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3668-130-0x0000000000000000-mapping.dmp

Download
memory/3668-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-426-0x0000000000000000-mapping.dmp

Download
memory/4172-486-0x0000000000000000-mapping.dmp

Download
memory/4944-306-0x0000000000000000-mapping.dmp

Download