71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c

Analysis

max time kernel
152s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
Size

888KB
MD5

1dc1098b0a80ddb5c7981720866ad9c0
SHA1

6b634f8fadee3f091c0f9c8b2eb19a597ef6b1c0
SHA256

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c
SHA512

33796912ca94e529cf7e70df56919c8653937c447641462428bbaa57ed6265b00cd589195bf6fe4d74c5c7ccce93fd527208875b35eca6c8b91adde325785583
SSDEEP

12288:52JylsKTOeDQ4dvfLKVOTDPc7IudTc67BmN6IN2Irz0vu+agwfUFGwTdr:52JyxqYv5GIQc90InrRxAGK

Score

8^/10

microsoft persistence phishing

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mmGOG.exe

pid	process
2268	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
1944	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
864	GOG.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mmmsedge.exeGOG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	GOG.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	GOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	GOG.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe

description	ioc	process
File opened (read-only)	\??\A:	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened (read-only)	\??\B:	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Program Files directory 64 IoCs

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b6948733-d90b-491c-9dfe-7e1f97a775a6.tmp	setup.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221202133307.pma	setup.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe

Drops file in Windows directory 3 IoCs

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mmGOG.exe

description	ioc	process
File created	C:\Windows\GOG.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
File opened for modification	C:\Windows\GOG.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
File created	C:\Windows\GOG.exe	GOG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

Processes:

GOG.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1"	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0"	GOG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exeGOG.exe

pid	process
2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe
864	GOG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
4928 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4928 msedge.exe
4928 msedge.exe
4928 msedge.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmpmsedge.exemsedge.exe

description	pid	process	target process
PID 2180 wrote to memory of 2268	2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
PID 2180 wrote to memory of 2268	2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
PID 2180 wrote to memory of 1944	2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
PID 2180 wrote to memory of 1944	2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
PID 2180 wrote to memory of 1944	2180	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
PID 1944 wrote to memory of 864	1944	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm	GOG.exe
PID 1944 wrote to memory of 864	1944	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm	GOG.exe
PID 1944 wrote to memory of 864	1944	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm	GOG.exe
PID 2268 wrote to memory of 4928	2268	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp	msedge.exe
PID 2268 wrote to memory of 4928	2268	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp	msedge.exe
PID 4928 wrote to memory of 4816	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4816	4928	msedge.exe	msedge.exe
PID 2268 wrote to memory of 3224	2268	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp	msedge.exe
PID 2268 wrote to memory of 3224	2268	71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp	msedge.exe
PID 3224 wrote to memory of 1916	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 1916	3224	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3432	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1856	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 1856	4928	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe
PID 3224 wrote to memory of 4592	3224	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe
"C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe54d346f8,0x7ffe54d34708,0x7ffe54d34718
4⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
4⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
4⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
4⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
4⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
4⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5584 /prefetch:8
4⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
4⤵
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
4⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4100 /prefetch:8
4⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
4⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
4⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
4⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff765d35460,0x7ff765d35470,0x7ff765d35480
5⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
4⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 /prefetch:8
4⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16837186417957427512,10449389301861439565,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3280 /prefetch:2
4⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd4,0xfc,0x100,0xe0,0x104,0x7ffe54d346f8,0x7ffe54d34708,0x7ffe54d34718
4⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12182155673470160513,2517320754836221426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12182155673470160513,2517320754836221426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
4⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm /zhj
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\GOG.exe
C:\Windows\GOG.exe /zhj
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ac4e2302e32d853edaf75317005874d4

SHA1
f4cc91c8aeb3528a8a948f1d4fc635f3c3b75105

SHA256
e015c21a45325cc36ee184752f5342d98746fd18542e9905b6a7f29497384e4a

SHA512
feb02bc7884201b82bc0294df95aaa056d2501d25fc62aca0666b4bb8c97a81b9c7163f7b2b7be305e50f404bff618ec805ca0a7f8bc3f3cf75fed1f38eebc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Filesize
768KB

MD5
13a200e017109016dde150396025f670

SHA1
2f22fd5c34538c2063b525e7b8e79ea4d38f123e

SHA256
637b9bc41c67f62fbbd79a04e0574b7c9d717573e9dd968f1319eacb082d0683

SHA512
445b9d02d49b259b0f7e0e1fc2217806b01c17e0f5487f192f4be6c28203602f3fb18d0d154a408daa8fb04ed117646654c18e318cbf7e8f830a4efbb3f37371

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.mm
Filesize
768KB

MD5
13a200e017109016dde150396025f670

SHA1
2f22fd5c34538c2063b525e7b8e79ea4d38f123e

SHA256
637b9bc41c67f62fbbd79a04e0574b7c9d717573e9dd968f1319eacb082d0683

SHA512
445b9d02d49b259b0f7e0e1fc2217806b01c17e0f5487f192f4be6c28203602f3fb18d0d154a408daa8fb04ed117646654c18e318cbf7e8f830a4efbb3f37371

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
Filesize
120KB

MD5
f9102685f97f9ba85f4a70afcf722cfe

SHA1
bf29d07fba749fabc7931047f2447299387246d4

SHA256
b7c067f8bbbd06d7af3c72ce964cb071ab74e93924563a3e277de04ad1a9ac1e

SHA512
a83ce3f2829e883675790c0b786c6f31217a00be730be360dd55a96f8dc572dc18320e6142d64dd4f10333cea87bf5b76b06c29e579b94c141af131484fbe5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\71a13f9ed74aa03667250ed385a7736076e35f061e5d739502bbb55107e0475c.tmp
Filesize
120KB

MD5
f9102685f97f9ba85f4a70afcf722cfe

SHA1
bf29d07fba749fabc7931047f2447299387246d4

SHA256
b7c067f8bbbd06d7af3c72ce964cb071ab74e93924563a3e277de04ad1a9ac1e

SHA512
a83ce3f2829e883675790c0b786c6f31217a00be730be360dd55a96f8dc572dc18320e6142d64dd4f10333cea87bf5b76b06c29e579b94c141af131484fbe5f8

Download Submit
C:\Windows\GOG.exe
Filesize
768KB

MD5
13a200e017109016dde150396025f670

SHA1
2f22fd5c34538c2063b525e7b8e79ea4d38f123e

SHA256
637b9bc41c67f62fbbd79a04e0574b7c9d717573e9dd968f1319eacb082d0683

SHA512
445b9d02d49b259b0f7e0e1fc2217806b01c17e0f5487f192f4be6c28203602f3fb18d0d154a408daa8fb04ed117646654c18e318cbf7e8f830a4efbb3f37371

Download Submit
C:\Windows\GOG.exe
Filesize
768KB

MD5
13a200e017109016dde150396025f670

SHA1
2f22fd5c34538c2063b525e7b8e79ea4d38f123e

SHA256
637b9bc41c67f62fbbd79a04e0574b7c9d717573e9dd968f1319eacb082d0683

SHA512
445b9d02d49b259b0f7e0e1fc2217806b01c17e0f5487f192f4be6c28203602f3fb18d0d154a408daa8fb04ed117646654c18e318cbf7e8f830a4efbb3f37371

Download Submit
\??\pipe\LOCAL\crashpad_3224_IQMULDJZJEYJMKLC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4928_FJRFYXVJLUAQMSFO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-182-0x0000000000000000-mapping.dmp

Download
memory/740-165-0x0000000000000000-mapping.dmp

Download
memory/852-157-0x0000000000000000-mapping.dmp

Download
memory/864-138-0x0000000000000000-mapping.dmp

Download
memory/1236-180-0x0000000000000000-mapping.dmp

Download
memory/1524-162-0x0000000000000000-mapping.dmp

Download
memory/1856-150-0x0000000000000000-mapping.dmp

Download
memory/1916-144-0x0000000000000000-mapping.dmp

Download
memory/1944-134-0x0000000000000000-mapping.dmp

Download
memory/2268-132-0x0000000000000000-mapping.dmp

Download
memory/2284-178-0x0000000000000000-mapping.dmp

Download
memory/2992-183-0x0000000000000000-mapping.dmp

Download
memory/3224-143-0x0000000000000000-mapping.dmp

Download
memory/3432-149-0x0000000000000000-mapping.dmp

Download
memory/3472-167-0x0000000000000000-mapping.dmp

Download
memory/3704-175-0x0000000000000000-mapping.dmp

Download
memory/3760-169-0x0000000000000000-mapping.dmp

Download
memory/4396-154-0x0000000000000000-mapping.dmp

Download
memory/4460-179-0x0000000000000000-mapping.dmp

Download
memory/4568-173-0x0000000000000000-mapping.dmp

Download
memory/4592-153-0x0000000000000000-mapping.dmp

Download
memory/4604-177-0x0000000000000000-mapping.dmp

Download
memory/4724-160-0x0000000000000000-mapping.dmp

Download
memory/4816-142-0x0000000000000000-mapping.dmp

Download
memory/4880-171-0x0000000000000000-mapping.dmp

Download
memory/4928-141-0x0000000000000000-mapping.dmp

Download