Analysis Overview
SHA256
f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9
Threat Level: Known bad
The file f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9 was found to be: Known bad.
Malicious Activity Summary
LgoogLoader
GCleaner
Detects LgoogLoader payload
Process spawned unexpected child process
Checks for common network interception software
Sets service image path in registry
VMProtect packed file
Downloads MZ/PE file
Executes dropped EXE
Drops file in Drivers directory
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Kills process with taskkill
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Script User-Agent
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-16 10:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-16 10:58
Reported
2023-01-16 11:00
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
GCleaner
LgoogLoader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
Checks for common network interception software
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
Executes dropped EXE
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4B5H3.tmp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Vapuqupuly.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 25208 set thread context of 25776 | N/A | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Portable Devices\Vapuqupuly.exe | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\Vapuqupuly.exe.config | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| File created | C:\Program Files (x86)\powerOff\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
| File created | C:\Program Files (x86)\powerOff\is-E1KS5.tmp | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b1c6f78d-1e72-47f1-be0c-12ebb96dbf0c.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230116115939.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File created | C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| File created | C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe.config | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| File opened for modification | C:\Program Files (x86)\powerOff\Power Off.exe | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
| File created | C:\Program Files (x86)\powerOff\is-UUDP1.tmp | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\powerOff\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
Enumerates physical storage devices
Program crash
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.exe
"C:\Users\Admin\AppData\Local\Temp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.exe"
C:\Users\Admin\AppData\Local\Temp\is-4B5H3.tmp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4B5H3.tmp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.tmp" /SL5="$8005E,506127,422400,C:\Users\Admin\AppData\Local\Temp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.exe"
C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe
"C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe" /S /UID=95
C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe
"C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe"
C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe
"C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe"
C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe
"C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp" /SL5="$30118,490199,350720,C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe" /VERYSILENT
C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe /eufive & exit
C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe /eufive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe /mixfive & exit
C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe /mixfive
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe & exit
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
"C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe" -h
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jlwvr5sq.uos\pb1117.exe & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 9872 -ip 9872
C:\Users\Admin\AppData\Local\Temp\jlwvr5sq.uos\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\jlwvr5sq.uos\pb1117.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 456
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe & exit
C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe
C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 25296 -ip 25296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 25296 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 812
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 24592 -ip 24592
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 24592 -ip 24592
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 1348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9872 -ip 9872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9872 -s 1396
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 24592 -ip 24592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24592 -s 1388
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffb91f546f8,0x7ffb91f54708,0x7ffb91f54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7367a5460,0x7ff7367a5470,0x7ff7367a5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1751706885972798457,18413383002622507176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | mouawzi-khilafii.s3.pl-waw.scw.cloud | udp |
| N/A | 151.115.10.1:80 | mouawzi-khilafii.s3.pl-waw.scw.cloud | tcp |
| N/A | 151.115.10.1:80 | mouawzi-khilafii.s3.pl-waw.scw.cloud | tcp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 37.230.138.123:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | coffee-cup.s3.pl-waw.scw.cloud | udp |
| N/A | 8.8.8.8:53 | wewewe.s3.eu-central-1.amazonaws.com | udp |
| N/A | 52.219.47.1:443 | wewewe.s3.eu-central-1.amazonaws.com | tcp |
| N/A | 151.115.10.1:443 | coffee-cup.s3.pl-waw.scw.cloud | tcp |
| N/A | 151.115.10.1:443 | coffee-cup.s3.pl-waw.scw.cloud | tcp |
| N/A | 8.8.8.8:53 | 360devtracking.com | udp |
| N/A | 37.230.138.66:80 | 360devtracking.com | tcp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 142.251.39.100:80 | www.google.com | tcp |
| N/A | 37.230.138.123:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | 360devtracking.com | udp |
| N/A | 37.230.138.66:80 | 360devtracking.com | tcp |
| N/A | 95.214.24.96:80 | tcp | |
| N/A | 52.182.141.63:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 142.251.39.100:80 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 95.214.24.96:80 | 95.214.24.96 | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 148.251.234.83:443 | iplogger.org | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 95.214.24.96:80 | 95.214.24.96 | tcp |
| N/A | 8.8.8.8:53 | a.dowgmua.com | udp |
| N/A | 188.114.97.0:443 | a.dowgmua.com | tcp |
| N/A | 8.8.8.8:53 | b.dowgmub.com | udp |
| N/A | 104.21.70.228:443 | b.dowgmub.com | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 8.8.8.8:53 | grt.eiwaggee.com | udp |
| N/A | 188.114.97.0:443 | grt.eiwaggee.com | tcp |
| N/A | 8.8.8.8:53 | xv.yxzgamen.com | udp |
| N/A | 188.114.96.0:443 | xv.yxzgamen.com | tcp |
| N/A | 8.8.8.8:53 | www.isurucabs.lk | udp |
| N/A | 69.46.7.194:443 | www.isurucabs.lk | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 157.240.247.35:443 | www.facebook.com | tcp |
| N/A | 204.79.197.200:443 | tcp | |
| N/A | 8.8.8.8:53 | iplogger.com | udp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | aaa.apiaaaeg.com | udp |
| N/A | 45.66.159.137:80 | aaa.apiaaaeg.com | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 45.139.105.171:80 | 45.139.105.171 | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 142.251.39.100:80 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 37.230.138.123:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | www.profitabletrustednetwork.com | udp |
| N/A | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| N/A | 20.86.249.62:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 173.233.137.52:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 173.233.137.52:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 20.86.249.62:443 | nav.smartscreen.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | smartscreen-prod.microsoft.com | udp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
| N/A | 8.8.8.8:53 | simplewebanalysis.com | udp |
| N/A | 52.22.199.149:443 | simplewebanalysis.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | noutzing.com | udp |
| N/A | 188.114.97.0:443 | noutzing.com | tcp |
| N/A | 20.86.249.62:443 | smartscreen-prod.microsoft.com | tcp |
| N/A | 188.114.97.0:443 | noutzing.com | udp |
| N/A | 8.8.8.8:53 | tartator.com | udp |
| N/A | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| N/A | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| N/A | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| N/A | 142.234.204.80:443 | tartator.com | tcp |
| N/A | 8.8.8.8:53 | getsthis.com | udp |
| N/A | 142.234.204.80:443 | getsthis.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 8.8.8.8:53 | edge.microsoft.com | udp |
| N/A | 131.253.33.239:443 | edge.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | ntp.msn.com | udp |
| N/A | 8.8.8.8:53 | assets.msn.com | udp |
| N/A | 95.101.143.170:443 | assets.msn.com | tcp |
| N/A | 95.101.143.170:443 | assets.msn.com | tcp |
| N/A | 95.101.143.170:443 | assets.msn.com | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 8.8.8.8:53 | sb.scorecardresearch.com | udp |
| N/A | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| N/A | 8.8.8.8:53 | c.msn.com | udp |
| N/A | 88.221.134.224:443 | img-s-msn-com.akamaized.net | tcp |
| N/A | 8.8.8.8:53 | c.bing.com | udp |
| N/A | 18.65.39.28:443 | sb.scorecardresearch.com | tcp |
| N/A | 20.234.93.27:443 | c.msn.com | tcp |
| N/A | 204.79.197.200:443 | c.bing.com | tcp |
| N/A | 131.253.33.239:443 | edge.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | srtb.msn.com | udp |
| N/A | 131.253.33.203:443 | srtb.msn.com | tcp |
| N/A | 8.8.8.8:53 | aefd.nelreports.net | udp |
| N/A | 8.8.8.8:53 | ecn.dev.virtualearth.net | udp |
| N/A | 88.221.134.218:443 | aefd.nelreports.net | tcp |
| N/A | 23.0.215.34:443 | ecn.dev.virtualearth.net | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 35.205.61.67:80 | htagzdownload.pw | tcp |
| N/A | 131.253.33.239:443 | edge.microsoft.com | tcp |
| N/A | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| N/A | 8.238.177.126:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/3464-132-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3464-134-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3800-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-4B5H3.tmp\f0ffe21703f29dd78d6a5f937ddeed8437e9cb4e9a0dce7adf9149e250a98fd9.tmp
| MD5 | a5ea5f8ae934ab6efe216fc1e4d1b6dc |
| SHA1 | cb52a9e2aa2aa0e6e82fa44879055003a91207d7 |
| SHA256 | be998499deb4ad2cbb87ff38e372f387baf4da3a15faf6d0a43c5cc137650d9e |
| SHA512 | f13280508fb43734809321f65741351aedd1613c3c989e978147dbb5a59efb02494349fbf6ee96b85de5ad049493d8382372993f3d54b80e84e36edf986e915c |
C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/3464-138-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4824-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe
| MD5 | cc41507ba8ee6cdd0909f513c977df6f |
| SHA1 | eac08a0843d63ffd9b681d91624f1d1424a41c15 |
| SHA256 | 35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d |
| SHA512 | 6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b |
C:\Users\Admin\AppData\Local\Temp\is-7EKA4.tmp\sasa.exe
| MD5 | cc41507ba8ee6cdd0909f513c977df6f |
| SHA1 | eac08a0843d63ffd9b681d91624f1d1424a41c15 |
| SHA256 | 35f7d826be42bcddad36ab6fffab52a393aabdf445cff086861f456bfcee814d |
| SHA512 | 6a9f0ccb052aa119ff65868a9592c6cee3dd0e481ecf5a3686541ddcdfd3443deb4f03b4f54bdc9a6ff6172a5a3ea2fb9e87671ce06210687935bc73230cbf6b |
memory/4824-142-0x0000000000010000-0x0000000000062000-memory.dmp
memory/4824-143-0x00007FFB928C0000-0x00007FFB93381000-memory.dmp
memory/1092-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe
| MD5 | 97627b2f5f03f91345b467a2a4b34e1a |
| SHA1 | 863ef84ed38a90a5141b381d074f417e3ff0b5fc |
| SHA256 | 45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc |
| SHA512 | 7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0 |
C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe
| MD5 | 97627b2f5f03f91345b467a2a4b34e1a |
| SHA1 | 863ef84ed38a90a5141b381d074f417e3ff0b5fc |
| SHA256 | 45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc |
| SHA512 | 7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0 |
C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Vapuqupuly.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
memory/2232-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe
| MD5 | 208e4cd441cdd40a55ee0fc96316e331 |
| SHA1 | cddcd13535391b96c8ec650a22f1503f93ca092c |
| SHA256 | 2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431 |
| SHA512 | bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651 |
C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe
| MD5 | 208e4cd441cdd40a55ee0fc96316e331 |
| SHA1 | cddcd13535391b96c8ec650a22f1503f93ca092c |
| SHA256 | 2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431 |
| SHA512 | bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651 |
C:\Users\Admin\AppData\Local\Temp\95-fc4d1-a22-f8a93-ddc5fc9c02ba6\Vapuqupuly.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
memory/4564-152-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe
| MD5 | c0538198613d60407c75c54c55e69d91 |
| SHA1 | a2d713a098bc7b6d245c428dcdeb5614af3b8edd |
| SHA256 | c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed |
| SHA512 | 121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529 |
memory/4564-154-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Program Files\Windows Security\JITJACKGNB\poweroff.exe
| MD5 | c0538198613d60407c75c54c55e69d91 |
| SHA1 | a2d713a098bc7b6d245c428dcdeb5614af3b8edd |
| SHA256 | c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed |
| SHA512 | 121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529 |
C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp
| MD5 | 01515376348a54ecef04f45b436cb104 |
| SHA1 | 111e709b21bf56181c83057dafba7b71ed41f1b2 |
| SHA256 | 8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0 |
| SHA512 | 8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28 |
memory/4952-157-0x0000000000000000-mapping.dmp
memory/4824-161-0x00007FFB928C0000-0x00007FFB93381000-memory.dmp
memory/1092-159-0x00007FFB895C0000-0x00007FFB89FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CJNG1.tmp\poweroff.tmp
| MD5 | 01515376348a54ecef04f45b436cb104 |
| SHA1 | 111e709b21bf56181c83057dafba7b71ed41f1b2 |
| SHA256 | 8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0 |
| SHA512 | 8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28 |
memory/4564-163-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2232-160-0x00007FFB895C0000-0x00007FFB89FF6000-memory.dmp
memory/3464-164-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2812-165-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\powerOff\Power Off.exe
| MD5 | 8d0b18eb87590fa654da3704092b122b |
| SHA1 | aaf4417695904bd718def564b2c1dae40623cc1d |
| SHA256 | f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457 |
| SHA512 | fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828 |
C:\Program Files (x86)\powerOff\Power Off.exe
| MD5 | 8d0b18eb87590fa654da3704092b122b |
| SHA1 | aaf4417695904bd718def564b2c1dae40623cc1d |
| SHA256 | f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457 |
| SHA512 | fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828 |
memory/2812-168-0x00007FFB895C0000-0x00007FFB89FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dc-019fa-9be-25592-1469c25916885\Kenessey.txt
| MD5 | 97384261b8bbf966df16e5ad509922db |
| SHA1 | 2fc42d37fee2c81d767e09fb298b70c748940f86 |
| SHA256 | 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c |
| SHA512 | b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21 |
memory/8336-170-0x0000000000000000-mapping.dmp
memory/9872-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe
| MD5 | 2d526f97060bdf0ec6d9fa55a64ca7d6 |
| SHA1 | e3b7820ac00f18c94e47d1560980c84861ec6325 |
| SHA256 | 33b115ca78655e139f1b053c6bd75c447ee2b5df6e7feafd15ed088968a9422f |
| SHA512 | 8bdd8eaf69defcdd35859c5782a3b6f85b37bde9ea88e061ad00abb9d94a007e873af1fa8b42943ad3bfe7a680dcdd077fe13f7c0f47a888a2ae8a5cf437c934 |
C:\Users\Admin\AppData\Local\Temp\rtoy0dah.4m5\GcleanerEU.exe
| MD5 | 2d526f97060bdf0ec6d9fa55a64ca7d6 |
| SHA1 | e3b7820ac00f18c94e47d1560980c84861ec6325 |
| SHA256 | 33b115ca78655e139f1b053c6bd75c447ee2b5df6e7feafd15ed088968a9422f |
| SHA512 | 8bdd8eaf69defcdd35859c5782a3b6f85b37bde9ea88e061ad00abb9d94a007e873af1fa8b42943ad3bfe7a680dcdd077fe13f7c0f47a888a2ae8a5cf437c934 |
memory/11780-174-0x0000000000000000-mapping.dmp
memory/24592-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe
| MD5 | 2d526f97060bdf0ec6d9fa55a64ca7d6 |
| SHA1 | e3b7820ac00f18c94e47d1560980c84861ec6325 |
| SHA256 | 33b115ca78655e139f1b053c6bd75c447ee2b5df6e7feafd15ed088968a9422f |
| SHA512 | 8bdd8eaf69defcdd35859c5782a3b6f85b37bde9ea88e061ad00abb9d94a007e873af1fa8b42943ad3bfe7a680dcdd077fe13f7c0f47a888a2ae8a5cf437c934 |
C:\Users\Admin\AppData\Local\Temp\aiaqefuy.gaf\gcleaner.exe
| MD5 | 2d526f97060bdf0ec6d9fa55a64ca7d6 |
| SHA1 | e3b7820ac00f18c94e47d1560980c84861ec6325 |
| SHA256 | 33b115ca78655e139f1b053c6bd75c447ee2b5df6e7feafd15ed088968a9422f |
| SHA512 | 8bdd8eaf69defcdd35859c5782a3b6f85b37bde9ea88e061ad00abb9d94a007e873af1fa8b42943ad3bfe7a680dcdd077fe13f7c0f47a888a2ae8a5cf437c934 |
memory/24628-178-0x0000000000000000-mapping.dmp
memory/24676-179-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
| MD5 | 861253a1ff4bdacab4ddd1a1df3efc50 |
| SHA1 | 5512ad9b91d5c5972ac0a4c5f0f28d966054807c |
| SHA256 | 9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d |
| SHA512 | 39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927 |
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
| MD5 | 861253a1ff4bdacab4ddd1a1df3efc50 |
| SHA1 | 5512ad9b91d5c5972ac0a4c5f0f28d966054807c |
| SHA256 | 9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d |
| SHA512 | 39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927 |
memory/24732-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0m4waqgb.aff\chenp.exe
| MD5 | 861253a1ff4bdacab4ddd1a1df3efc50 |
| SHA1 | 5512ad9b91d5c5972ac0a4c5f0f28d966054807c |
| SHA256 | 9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d |
| SHA512 | 39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927 |
memory/24788-184-0x0000000000000000-mapping.dmp
memory/24924-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jlwvr5sq.uos\pb1117.exe
| MD5 | 0b7434ca22cfd570e60beabbc3ab68ad |
| SHA1 | c988cebc96bc58f76fe6d5a93420798f5b27f4bb |
| SHA256 | 48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4 |
| SHA512 | be90bd0cac5eb522b121889020e75d6494005b63dc3af237a8ebd0b27d3ac5a8fac4367289850b704f5b1d79d8afd603d46c9afc3b0c0015e0da18959f9a34bc |
C:\Users\Admin\AppData\Local\Temp\jlwvr5sq.uos\pb1117.exe
| MD5 | 0b7434ca22cfd570e60beabbc3ab68ad |
| SHA1 | c988cebc96bc58f76fe6d5a93420798f5b27f4bb |
| SHA256 | 48b3b5e521f2b126baedcef1c91827570effa898e054ae6f7e215203454955f4 |
| SHA512 | be90bd0cac5eb522b121889020e75d6494005b63dc3af237a8ebd0b27d3ac5a8fac4367289850b704f5b1d79d8afd603d46c9afc3b0c0015e0da18959f9a34bc |
memory/24924-188-0x0000000140000000-0x000000014061C000-memory.dmp
memory/9872-190-0x00000000007FD000-0x0000000000824000-memory.dmp
memory/9872-192-0x0000000000710000-0x0000000000750000-memory.dmp
memory/9872-193-0x0000000000400000-0x0000000000451000-memory.dmp
memory/25160-195-0x0000000000000000-mapping.dmp
memory/25208-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe
| MD5 | 4715769b2a3a90dc8c939aec11c52bc1 |
| SHA1 | 1a1eeabc9d4758de67016ed1e06defd571107e63 |
| SHA256 | 7ce366cf2cc3e1787d552e5603568e1ce96496aacef73df9676b9a3fafe660db |
| SHA512 | 308badf1be750b58399a3532b452a85cf345d222a1ec48949c99fd5cbe6505a79e8093b72ea117ef8b3963b8ddcbf2812907a5d8535b98c9480bb038fcdfe579 |
C:\Users\Admin\AppData\Local\Temp\adwkvhmu.bxf\360.exe
| MD5 | 4715769b2a3a90dc8c939aec11c52bc1 |
| SHA1 | 1a1eeabc9d4758de67016ed1e06defd571107e63 |
| SHA256 | 7ce366cf2cc3e1787d552e5603568e1ce96496aacef73df9676b9a3fafe660db |
| SHA512 | 308badf1be750b58399a3532b452a85cf345d222a1ec48949c99fd5cbe6505a79e8093b72ea117ef8b3963b8ddcbf2812907a5d8535b98c9480bb038fcdfe579 |
memory/24592-201-0x0000000000400000-0x0000000000451000-memory.dmp
memory/25208-200-0x000001A7AD510000-0x000001A7AD598000-memory.dmp
memory/24592-199-0x00000000005ED000-0x0000000000614000-memory.dmp
memory/25208-202-0x000001A7C8600000-0x000001A7C8676000-memory.dmp
memory/25208-203-0x00007FFB91500000-0x00007FFB91FC1000-memory.dmp
memory/25208-204-0x000001A7AD8F0000-0x000001A7AD90E000-memory.dmp
memory/25296-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dll
| MD5 | 0b35335b70b96d31633d0caa207d71f9 |
| SHA1 | 996c7804fe4d85025e2bd7ea8aa5e33c71518f84 |
| SHA256 | ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6 |
| SHA512 | ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce |
C:\Users\Admin\AppData\Local\Temp\db.dat
| MD5 | 76c3dbb1e9fea62090cdf53dadcbe28e |
| SHA1 | d44b32d04adc810c6df258be85dc6b62bd48a307 |
| SHA256 | 556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860 |
| SHA512 | de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b |
memory/25776-209-0x0000000000400000-0x0000000000442000-memory.dmp
memory/25776-211-0x0000000000400000-0x0000000000442000-memory.dmp
memory/25776-212-0x0000000000400000-0x0000000000442000-memory.dmp
memory/25208-213-0x00007FFB91500000-0x00007FFB91FC1000-memory.dmp
memory/25776-210-0x0000000000403980-mapping.dmp
memory/25776-215-0x0000000002B00000-0x0000000002B0D000-memory.dmp
memory/25776-214-0x0000000002AE0000-0x0000000002AE9000-memory.dmp
memory/26600-216-0x0000000000000000-mapping.dmp
memory/26720-217-0x0000000000000000-mapping.dmp
memory/26792-218-0x0000000000000000-mapping.dmp
memory/26868-219-0x0000000000000000-mapping.dmp
memory/9872-220-0x00000000007FD000-0x0000000000824000-memory.dmp
memory/9872-221-0x0000000000400000-0x0000000000451000-memory.dmp
memory/24592-222-0x00000000005ED000-0x0000000000614000-memory.dmp
memory/24592-223-0x0000000000400000-0x0000000000451000-memory.dmp
memory/27396-224-0x0000000000000000-mapping.dmp
memory/27416-225-0x0000000000000000-mapping.dmp
memory/27644-227-0x0000000000000000-mapping.dmp
memory/27664-228-0x0000000000000000-mapping.dmp
\??\pipe\LOCAL\crashpad_27396_QLWWLFUKLAJFFDCD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/27784-231-0x0000000000000000-mapping.dmp
memory/27912-233-0x0000000000000000-mapping.dmp
memory/27940-235-0x0000000000000000-mapping.dmp
memory/28188-237-0x0000000000000000-mapping.dmp
memory/28288-239-0x0000000000000000-mapping.dmp
memory/28376-241-0x0000000000000000-mapping.dmp
memory/28444-243-0x0000000000000000-mapping.dmp
memory/28460-245-0x0000000000000000-mapping.dmp
memory/28648-246-0x0000000000000000-mapping.dmp
memory/28692-247-0x0000000000000000-mapping.dmp
memory/28896-248-0x0000000000000000-mapping.dmp