27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd

Analysis

max time kernel
37s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

755KB
MD5

c296f6d7c3ce6dad67003a5777a6da0a
SHA1

b426f52cf2419af5c4829c65857ff4f873565ef0
SHA256

27b26cf6ba3ddaeeb8f2d14b2868ea2229f3bf951cb6a2cccc73e207a08cbdcd
SHA512

db969b2f9c0b1d8c9d2893c6418251a1a1765e3708a327ef6f7034f76a1dda86b1f695a8784e314acaeff8d33efc618164c48b740a9268871b2d199e64975b6b
SSDEEP

12288:VQi3sc6m6UR0IeSp1hf39Wkv8xwJld8kO:VQi8zHIeSpdUMkkO

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

ty88__.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts ty88__.exe
Executes dropped EXE 7 IoCs

Processes:

file.tmpty88__.exeQopubegigy.exeQopubegigy.exepoweroff.exepoweroff.tmpPower Off.exe

pid process

4272 file.tmp
4808 ty88__.exe
1044 Qopubegigy.exe
664 Qopubegigy.exe
4532 poweroff.exe
1276 poweroff.tmp
32 Power Off.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ty88__.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation ty88__.exe
Loads dropped DLL 1 IoCs

Processes:

file.tmp

pid process

4272 file.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ty88__.exe

pid	process
4272	file.tmp
4808	ty88__.exe
1044	Qopubegigy.exe
664	Qopubegigy.exe
4532	poweroff.exe
1276	poweroff.tmp
32	Power Off.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	ty88__.exe

pid	process
4272	file.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ty88__.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Qopubegigy.exe\""	ty88__.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 9 IoCs

Processes:

poweroff.tmpty88__.exe

description	ioc	process
File created	C:\Program Files (x86)\powerOff\is-F7P9V.tmp	poweroff.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Qopubegigy.exe	ty88__.exe
File created	C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe	ty88__.exe
File created	C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe.config	ty88__.exe
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-QKNSO.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Qopubegigy.exe.config	ty88__.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

poweroff.tmpQopubegigy.exemsedge.exe

pid	process
1276	poweroff.tmp
1276	poweroff.tmp
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
6432	msedge.exe
6432	msedge.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe
664	Qopubegigy.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1908 msedge.exe
1908 msedge.exe
1908 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ty88__.exeQopubegigy.exeQopubegigy.exe

description pid process

Token: SeDebugPrivilege 4808 ty88__.exe
Token: SeDebugPrivilege 664 Qopubegigy.exe
Token: SeDebugPrivilege 1044 Qopubegigy.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

poweroff.tmpmsedge.exe

pid process

1276 poweroff.tmp
1908 msedge.exe
1908 msedge.exe
1908 msedge.exe

pid	process
1908	msedge.exe
1908	msedge.exe
1908	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4808	ty88__.exe
Token: SeDebugPrivilege	664	Qopubegigy.exe
Token: SeDebugPrivilege	1044	Qopubegigy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.tmpty88__.exepoweroff.exepoweroff.tmpQopubegigy.exemsedge.exe

description	pid	process	target process
PID 2548 wrote to memory of 4272	2548	file.exe	file.tmp
PID 2548 wrote to memory of 4272	2548	file.exe	file.tmp
PID 2548 wrote to memory of 4272	2548	file.exe	file.tmp
PID 4272 wrote to memory of 4808	4272	file.tmp	ty88__.exe
PID 4272 wrote to memory of 4808	4272	file.tmp	ty88__.exe
PID 4808 wrote to memory of 1044	4808	ty88__.exe	Qopubegigy.exe
PID 4808 wrote to memory of 1044	4808	ty88__.exe	Qopubegigy.exe
PID 4808 wrote to memory of 664	4808	ty88__.exe	Qopubegigy.exe
PID 4808 wrote to memory of 664	4808	ty88__.exe	Qopubegigy.exe
PID 4808 wrote to memory of 4532	4808	ty88__.exe	poweroff.exe
PID 4808 wrote to memory of 4532	4808	ty88__.exe	poweroff.exe
PID 4808 wrote to memory of 4532	4808	ty88__.exe	poweroff.exe
PID 4532 wrote to memory of 1276	4532	poweroff.exe	poweroff.tmp
PID 4532 wrote to memory of 1276	4532	poweroff.exe	poweroff.tmp
PID 4532 wrote to memory of 1276	4532	poweroff.exe	poweroff.tmp
PID 1276 wrote to memory of 32	1276	poweroff.tmp	Power Off.exe
PID 1276 wrote to memory of 32	1276	poweroff.tmp	Power Off.exe
PID 1044 wrote to memory of 1908	1044	Qopubegigy.exe	msedge.exe
PID 1044 wrote to memory of 1908	1044	Qopubegigy.exe	msedge.exe
PID 1908 wrote to memory of 4820	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 4820	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6352	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6432	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6432	1908	msedge.exe	msedge.exe
PID 1908 wrote to memory of 6912	1908	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\is-EUT1S.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EUT1S.tmp\file.tmp" /SL5="$8006C,506127,422400,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\is-8CLOA.tmp\ty88__.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8CLOA.tmp\ty88__.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\f8-e7d43-463-9d988-7e1f95135ec54\Qopubegigy.exe
      "C:\Users\Admin\AppData\Local\Temp\f8-e7d43-463-9d988-7e1f95135ec54\Qopubegigy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffdbf1846f8,0x7ffdbf184708,0x7ffdbf184718
        6⤵
        
        PID:4820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        6⤵
        
        PID:6352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
        6⤵
        
        PID:6912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
        6⤵
        
        PID:8096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
        6⤵
        
        PID:8124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 /prefetch:8
        6⤵
        
        PID:2180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2504373876129395947,6145772895803834831,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        6⤵
        
        PID:6972
  - - C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe
      "C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\is-IUGK0.tmp\poweroff.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IUGK0.tmp\poweroff.tmp" /SL5="$8015E,490199,350720,C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Program Files (x86)\powerOff\Power Off.exe
        
        "C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:32
  - - C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Qopubegigy.exe
      "C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Qopubegigy.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe

Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe

Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe

Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Reference Assemblies\LQSPOMIGHS\poweroff.exe

Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Qopubegigy.exe

Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Qopubegigy.exe

Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0-e0555-b6f-a9785-f95b4d3fc4c6a\Qopubegigy.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8-e7d43-463-9d988-7e1f95135ec54\Qopubegigy.exe

Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8-e7d43-463-9d988-7e1f95135ec54\Qopubegigy.exe

Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8-e7d43-463-9d988-7e1f95135ec54\Qopubegigy.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CLOA.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CLOA.tmp\ty88__.exe

Filesize
302KB

MD5
cc41507ba8ee6cdd0909f513c977df6f

SHA1
eac08a0843d63ffd9b681d91624f1d1424a41c15

SHA256
35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d

SHA512
6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CLOA.tmp\ty88__.exe

Filesize
302KB

MD5
cc41507ba8ee6cdd0909f513c977df6f

SHA1
eac08a0843d63ffd9b681d91624f1d1424a41c15

SHA256
35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d

SHA512
6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EUT1S.tmp\file.tmp

Filesize
1.0MB

MD5
6e8d8cabf1efb3f98adba1eed48e5a1e

SHA1
6ca75501f3eb4753afe1810ba761588021bd68c9

SHA256
8db82765fa0993c181346d9182d013271b7326e4c8415ce1e97bf606cd6474f6

SHA512
e3bb3029a9b50cfa18dc616aa2e04b7d0537efdedeb83ee40e976f5089e3e76b844c1e7e85d867f6c925ef8d8ed79de60a4ea7de5ee6127a52c6f7bbfcb7690f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IUGK0.tmp\poweroff.tmp

Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IUGK0.tmp\poweroff.tmp

Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
\??\pipe\LOCAL\crashpad_1908_OCBWSNMQFBPIWPXU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-167-0x00007FFDC07B0000-0x00007FFDC11E6000-memory.dmp

Filesize
10.2MB

Download
memory/32-164-0x0000000000000000-mapping.dmp

Download
memory/664-161-0x00007FFDC07B0000-0x00007FFDC11E6000-memory.dmp

Filesize
10.2MB

Download
memory/664-147-0x0000000000000000-mapping.dmp

Download
memory/1044-143-0x0000000000000000-mapping.dmp

Download
memory/1044-160-0x00007FFDC07B0000-0x00007FFDC11E6000-memory.dmp

Filesize
10.2MB

Download
memory/1276-156-0x0000000000000000-mapping.dmp

Download
memory/1908-168-0x0000000000000000-mapping.dmp

Download
memory/2180-182-0x0000000000000000-mapping.dmp

Download
memory/2548-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2548-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2548-159-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4272-134-0x0000000000000000-mapping.dmp

Download
memory/4532-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4532-163-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4532-148-0x0000000000000000-mapping.dmp

Download
memory/4808-158-0x00007FFDC0720000-0x00007FFDC11E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-142-0x00007FFDC0720000-0x00007FFDC11E1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-141-0x0000000000720000-0x0000000000772000-memory.dmp

Filesize
328KB

Download
memory/4808-138-0x0000000000000000-mapping.dmp

Download
memory/4820-170-0x0000000000000000-mapping.dmp

Download
memory/6352-172-0x0000000000000000-mapping.dmp

Download
memory/6432-173-0x0000000000000000-mapping.dmp

Download
memory/6912-176-0x0000000000000000-mapping.dmp

Download
memory/6972-184-0x0000000000000000-mapping.dmp

Download
memory/8096-178-0x0000000000000000-mapping.dmp

Download
memory/8124-180-0x0000000000000000-mapping.dmp

Download