hxxps://www[.]google[.]ca/

Resubmissions

31/07/2024, 19:36

240731-ybllpszcpk 8

31/07/2024, 19:33

240731-x9mqzszbqk 6

31/07/2024, 19:31

240731-x8mdtsthpe 10

Analysis

max time kernel
267s
max time network
265s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31/07/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.ca/

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ClipSVC\Parameters\ServiceDll = "%SystemRoot%\\System32\\ClipSVC.dll"	M Centre.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\FUNDING.yml.txt	NOTEPAD.EXE
File opened for modification	C:\Windows\System32\FUNDING.yml.txt	NOTEPAD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M Centre.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a00000002e37a3569cced2119f0e006097c686f60700000028000000e0859ff2f94f6810ab9108002b27b3d902000000a00000002e37a3569cced2119f0e006097c686f602000000780000002e37a3569cced2119f0e006097c686f60400000088000000	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\0	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\FFlags = "1092616193"	M Centre.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupView = "0"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	M Centre.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\5\0\0\0\0\MRUListEx = ffffffff	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	M Centre.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Music"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{94D6DDCC-4A68-4175-A374-BD584A510B78}\GroupView = "0"	M Centre.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 050000000400000003000000020000000000000001000000ffffffff	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	M Centre.exe
Key created	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	M Centre.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	M Centre.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic"	M Centre.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
1120	msedge.exe
1120	msedge.exe
2072	identity_helper.exe
2072	identity_helper.exe
3536	msedge.exe
3536	msedge.exe
4296	msedge.exe
4296	msedge.exe
2420	M Centre.exe
2420	M Centre.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
1556	msedge.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	M Centre.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	M Centre.exe
Token: SeDebugPrivilege	4948	taskmgr.exe
Token: SeSystemProfilePrivilege	4948	taskmgr.exe
Token: SeCreateGlobalPrivilege	4948	taskmgr.exe
Token: 33	4948	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4948	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
2420	M Centre.exe
2420	M Centre.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
2420	M Centre.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4268	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 800	1120	msedge.exe	83
PID 1120 wrote to memory of 800	1120	msedge.exe	83
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 1552	1120	msedge.exe	84
PID 1120 wrote to memory of 5084	1120	msedge.exe	85
PID 1120 wrote to memory of 5084	1120	msedge.exe	85
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86
PID 1120 wrote to memory of 208	1120	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.ca/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff9cdfa46f8,0x7ff9cdfa4708,0x7ff9cdfa4718
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15903559017977967510,6816729449921718635,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\Temp1_M Centre.zip\M Centre.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_M Centre.zip\M Centre.exe"
1⤵
- Server Software Component: Terminal Services DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:3864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1404
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_M Centre.zip\System.Management.Automation.dll
  2⤵
  PID:3192

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Minecraft-Bedrock-Windows-10--main.zip\Minecraft-Bedrock-Windows-10--main\README.txt
1⤵
PID:3860

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Minecraft-Bedrock-Windows-10--main.zip\Minecraft-Bedrock-Windows-10--main\README.txt
1⤵
PID:4316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Minecraft-Bedrock-Windows-10--main.zip\Minecraft-Bedrock-Windows-10--main\LICENSE.txt
1⤵
PID:2868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4380
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Minecraft-Bedrock-Windows-10--main.zip\Minecraft-Bedrock-Windows-10--main\.github\FUNDING.yml
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
506e03d65052f54028056da258af8ae6

SHA1
c960e67d09834d528e12e062302a97c26e317d0e

SHA256
b26d2695dfe8aed4d0d67d11b46d4542c3c9c8964533404dfe32ce7a3e6cfb98

SHA512
15da55267433c41febebbe48983023293c6d436f89a56138cef1cea7deb5cdd7d4bcf58af12835e1152a8ec59e08cfc965e521eb54eed47fe44e1f4c2d1557a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a15dea0d79ea8ba114ad8141d7d10563

SHA1
9b730b2d809d4adef7e8b68660a05ac95b5b8478

SHA256
0c4dd77399040b8c38d41b77137861002ef209c79b486f7bbdb57b5834cd8dbf

SHA512
810fc1fb12bceae4ca3fad2a277682c2c56f0af91a329048adbeb433715b1f707927274e3e4a4479222f578e8218663533440c71b22c49735a290f907cc0af1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
2a8a0496c0022a0e67d77d3446340499

SHA1
ed76b29d574b4dbfa9e5dd3e21147148a310258e

SHA256
f348937ab6c6d9835af1f55e3f1d3c51197dc1c071630611ebc6d44834fc44e9

SHA512
d3767a8eafe019a15c2142d1160271ecc62f6e7d5623c0ae5fade269c8c9cf7de3b80678ed64bb9546bcf4d80fa66e11cacd19f2a7e295a6fec2a64ec8068c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
74c0a9aceda2547c4b5554c0425b17ba

SHA1
d5d2355e5919dcf704192787f4b2fbb63b649b0f

SHA256
3b9e3adb939801b9ada1ce67afc7decef4538c016c78113697b89a35a295dd8d

SHA512
e178dce4a59cf184bcca3523e687092f4edc2a3c7af4eddf1ca1965ca06347eadf8901f851260264c14fa052331b2d1aeef2a6b9048b87758617285c9650b479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a7426867b23beed584ed286ec7637e24

SHA1
c22e823f41e67a238e37c27bb8684d93402340ec

SHA256
4825b40da9cb8dcf5a678844cc584b3a9fc8438a16b050d2371fba04dfdea207

SHA512
9808df2c9aac556a453618c64feb19d2628e4c5aea6a73de3593ceaa111838b3e5cad686971f6dfc29a1575bde555c63683bb1e271d583d0f138fbddfe2aa70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6ef0c1c4b54739b7cc565a1082540bf0

SHA1
b83cf6a61b9d8bcdef40e08d693addbc10a889da

SHA256
75b7e3b2f66ecc6c22b9aed1194c17bdba32ff120cba1994e01c40978a3c9959

SHA512
9fd1d0767d0e292fb777cca5b122d3c0f3e50d3e14f0ac50efe1b344833ec335b63aa1e3acb2aec2efa7ec7b5e408e1fcda34582bc2daf7970b47300cccc15e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8d68976515f8eaa61450ed7dc7410566

SHA1
b5b4711ae2880b1c9063b15a0a26ff4dff4e0bf1

SHA256
798f41328cc14bdf7aa55bca489cede7e1a54e31475f85f997ac2cb7ba547748

SHA512
00a5f688ed42a47b025fe62217007732338f728dd0decfadea1d7f7deb2851072e298da7ee2174addb3605f09ea918a9c8a460b5035f2186b5a9e37de0cb24f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80a3dd91421ff868b696bd7365dc5cd7

SHA1
29b2c6f3e8dfa4981f6c9b2a685f8355f3e82ba5

SHA256
d44be6b6a529beb6799dc40dd5eb10db8e92ab77d6cf916ef59dcf4b91f513f3

SHA512
da1467277fafbfc580be3c7ce71877442e7a9e5aaec5be8e7a9404a6fba0b66ff366d8a1d9c8a935e50f30d6ce2d29c363355243bcdae4999c6751156eaecd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c727e0a728eefd64acdb0b300774add6

SHA1
dee845ea2c16b86edef524779a1b158359e20440

SHA256
0996f06c55127854cde62f1b8e6467f826ec46b4462f37c580afc5fe52e7220c

SHA512
bfe1f935b0e98e0b1354a7d38bf10818e51999b018afc1c31afb9e0f009ff18b70c6f97d59a4d5380b5ad872c72666860ecef07d411f588c54ef5008fee9d39a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
119c3678223cd4c7fbe3c108971aa839

SHA1
e31ef716b7dc999ceda86987704c17a8ce701c3b

SHA256
14a0090efedef213af09baeb25c1154649d943416893c56e98bd30dcafca8943

SHA512
3edbf56a1cc803fdacaadecc30922a81e4d21352ad74621c4e2090d371d5e98817170696d3ebd434eb9bbf3aa2c7cd5ef3b8f7db4a6dab5f74cc7098ab402fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b6ba79c40c316d21df44283aa471bbb8

SHA1
ce3217bde7dedbcc3ffd576e2a24c92931751f3f

SHA256
0cf85a3aea8cd9949e5dc986a13fe59777244aa1bb48f1537c0530719f5b1504

SHA512
63827bfc459e21a3fc57188f590869dacc83eb06874a7d66c3d5751567e97b1a97a87d8bfbd0bba9acef91433ce94273725243bf14d63d321e9659e2e62780d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9433b8b21c2c33923fbe1ed4cb0a9fb8

SHA1
44d9d6cdc295234868aafbfc5353f2bc96cebae2

SHA256
fd01e7085f426a03b72729108d9d8d85208a980c2ec0484de23d4368f529c90e

SHA512
329b0678adb7e501bb379b8ab87cce84d36fb09e911102bb8f0d63014aeb9c79391ce2baeb7ff566602edbe8593d20b89c828e2a45d19711e6080ddfc4971d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
443b09360e991e6a7be2ff706c2fd330

SHA1
e019d4a94ce4f18d0a1bab94b7745ab8bf4719f7

SHA256
b0bf73c84a1af5cc6592d851bad8317cf97a0a127cd639bd19b8c166bbb5deea

SHA512
4a3a4a6f6eff44fb8e92f61c5a2fc784b10fa890e9e91f9323791a678bd3dc2155cb2dd049961732787ddf594fccd6a5b5adf91f998845d2ef828381d391ada0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba1f50e4ba333d25ad780676b1b9ccf7

SHA1
91f4b2c696eac5ae8be16c6d58a70d6b899d353b

SHA256
6f959cbea3092e970b70a0a2e531760ca4a56541f6093d8e27a05eeb98a67005

SHA512
3ed0f550113676e7ba91fda2ac4c55ff74c02be291d270fdcbeb8446acc1ae3d2822a5e4bd3dba40bf5907038710f60ff84885a2234709a6ddabfc89c89c20b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e966ee6600c2ffb8b18544301cbf5be9

SHA1
4b93f636697c74c84e4abb069e1ceb6e373646f6

SHA256
012f65f02267366a62d3c3736e494a30af53b2afc2670f63802f57c8de78988d

SHA512
e6510d399bf0d7221b1c0d16dc0959117112d7bc90d97319bf49d2bd575fc35e390d65982d830dbc70c9d065a144918fdd56606dd1f93a0cf6cd6361793389fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
3568fabf823a077342e0af1f121c23ae

SHA1
6fd921f9d4dfa9a9c80f001e26df1808c79e7d5b

SHA256
7583ca914ba1858a98ea7c9396ea3bbb06d356f37e7e00f1cf75bd521f1cc025

SHA512
f0ff4dcb8dffac88f3bca5a02195ab1599d98587369ce731a35a127651a6c619542d0ec2d30f009f3ae7b5a5a2389f4544d58df01bb2ea95017d7540a4ead96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1f4.TMP

Filesize
202B

MD5
7928bfd2b3b533e649e7aec2f463ba6d

SHA1
15172107ec284985b47651ff6b1f24b16783543d

SHA256
ca61fe3744765e386f36f8b622dfad95eb5544e3fdb12f0da3b2dda0a2895d26

SHA512
3d250d7a828bf08b3727b55b961460bf77657743fd4a0f2188e8012da69d35617d6738d9008d2ec1083049375802f286d4f1a71ccc1476714c7c7d816f256b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
40419345414c874a675028ff809d9c36

SHA1
6b971399b6fe57cff00d64533692a3904f298bcd

SHA256
189529b66077bed20f7853216ec667e67eb985340112c92b37e8b66361e3ffe3

SHA512
c0e0d1a715e4e65abcdb917d572d9941576312495fa1685d34ff8cccf36355b0cbb4c3de74cb04bf8e1fd19f3233b9088de8c1d0eca6bc6cc994ab86158f1976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
283b5cf37d9f697d72f70b5fc5bf49da

SHA1
bc0a3b7a7fee103d8e0798963dbddaf453f48a19

SHA256
9fff7d47a51d71a32d28334769b861faea4d9822a8c4536d02801b7a00ba7910

SHA512
ed58636de54204beba0a5d04e9e6fd6174fdfedf9b05ee4ea4820aaf707096118dc06c02bcc2a6178aade83cc7e32f46be8e9828dd00bb6c1f5730c6ab2dd5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45g2t5b2.ndb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Minecraft-Bedrock-Windows-10--main.zip

Filesize
2.1MB

MD5
9a38625320b48794753f0e97d8717c98

SHA1
7a2a44f3a7f82f350089058592486b1c769a99a8

SHA256
805f99ef2580279eb0729d451be50e208a3f3b259f32ab7dafb4e29356c3f223

SHA512
b2a083d26cb7ceaa1b1892eac7c9b3838f2d1ec6074ae00c5efbc31a71b4494f102d3287ea44e6a5319e29f4f24cd290bd1aa55bce901d0b38574d7c5bfd29f5

Download Submit
memory/2420-854-0x000000000E570000-0x000000000E592000-memory.dmp

Filesize
136KB

Download
memory/2420-862-0x000000000EE90000-0x000000000EEDC000-memory.dmp

Filesize
304KB

Download
memory/2420-819-0x0000000009670000-0x000000000967E000-memory.dmp

Filesize
56KB

Download
memory/2420-840-0x000000000F6A0000-0x000000000FCC8000-memory.dmp

Filesize
6.2MB

Download
memory/2420-818-0x00000000096B0000-0x00000000096E8000-memory.dmp

Filesize
224KB

Download
memory/2420-850-0x000000000D600000-0x000000000D61A000-memory.dmp

Filesize
104KB

Download
memory/2420-851-0x000000000E530000-0x000000000E566000-memory.dmp

Filesize
216KB

Download
memory/2420-852-0x0000000010350000-0x00000000109CA000-memory.dmp

Filesize
6.5MB

Download
memory/2420-853-0x000000000E610000-0x000000000E6A6000-memory.dmp

Filesize
600KB

Download
memory/2420-817-0x0000000008A40000-0x0000000008A48000-memory.dmp

Filesize
32KB

Download
memory/2420-855-0x000000000E7F0000-0x000000000E856000-memory.dmp

Filesize
408KB

Download
memory/2420-856-0x000000000FCD0000-0x0000000010274000-memory.dmp

Filesize
5.6MB

Download
memory/2420-857-0x000000000E5E0000-0x000000000E5FE000-memory.dmp

Filesize
120KB

Download
memory/2420-858-0x000000000E8B0000-0x000000000E8FA000-memory.dmp

Filesize
296KB

Download
memory/2420-859-0x000000000F070000-0x000000000F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-860-0x000000000EBD0000-0x000000000EC36000-memory.dmp

Filesize
408KB

Download
memory/2420-861-0x000000000EC90000-0x000000000ECB2000-memory.dmp

Filesize
136KB

Download
memory/2420-820-0x00000000099B0000-0x00000000099BA000-memory.dmp

Filesize
40KB

Download
memory/2420-872-0x0000000011390000-0x00000000113AE000-memory.dmp

Filesize
120KB

Download
memory/2420-873-0x00000000113B0000-0x0000000011453000-memory.dmp

Filesize
652KB

Download
memory/2420-874-0x00000000117C0000-0x00000000117D6000-memory.dmp

Filesize
88KB

Download
memory/2420-875-0x00000000113A0000-0x00000000113AA000-memory.dmp

Filesize
40KB

Download
memory/2420-876-0x0000000011420000-0x0000000011446000-memory.dmp

Filesize
152KB

Download
memory/2420-816-0x0000000000FB0000-0x0000000000FFE000-memory.dmp

Filesize
312KB

Download
memory/2420-912-0x0000000005880000-0x0000000005888000-memory.dmp

Filesize
32KB

Download
memory/4948-915-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-916-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-917-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-927-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-926-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-925-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-924-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-923-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-922-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download
memory/4948-921-0x000001E1AAAA0000-0x000001E1AAAA1000-memory.dmp

Filesize
4KB

Download