gcleaner | 6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

380KB
MD5

4ca2c6f98e9dcd7a4033f8c538a709d3
SHA1

bc4b09303da991614fc7f34ff4ca01b8cf394940
SHA256

6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc
SHA512

3ee08ca3dca33a1bf100e4f6ecb5c44e6f8802ca74028ca04a55065769627369e307ee9d4b302476137fbba716e72ce366fb6514c22bec34187ff38141d57f83
SSDEEP

6144:x/QiQXCKJm+ksmpk3U9jW1U4P9bGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3Ks6m6URA3PhGlL//plmW9bTXeVh8

Score

10^/10

gcleaner redline main discovery evasion infostealer loader persistence spyware upx vmprotect

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

main

birja1.com:29658

Attributes

auth_value
7a6d3334d5db5d02c16eec7633780063

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 4740 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

786fiyon.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 786fiyon.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4740	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	786fiyon.exe

Executes dropped EXE 14 IoCs

Processes:

file.tmp786fiyon.exeGijajadoshae.exeGijajadoshae.exepoweroff.exepoweroff.tmpPower Off.exegcleaner.exechenp.exepb1117.exechenp.exeCZWWADj.exeEngine.exeSapphire.exe.pif

pid	process
3980	file.tmp
3284	786fiyon.exe
1308	Gijajadoshae.exe
1344	Gijajadoshae.exe
3024	poweroff.exe
4860	poweroff.tmp
4796	Power Off.exe
5584	gcleaner.exe
5828	chenp.exe
1296	pb1117.exe
4376	chenp.exe
2128	CZWWADj.exe
4964	Engine.exe
5912	Sapphire.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe	upx
behavioral2/memory/4964-221-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4964-250-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4964-262-0x0000000000400000-0x0000000000558000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe	vmprotect
behavioral2/memory/1296-196-0x0000000140000000-0x000000014061C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

786fiyon.exeGijajadoshae.exechenp.exegcleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	786fiyon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Gijajadoshae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Loads dropped DLL 2 IoCs

Processes:

file.tmpsvchost.exe

pid process

3980 file.tmp
3048 svchost.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

786fiyon.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gijajadoshae.exe\""	786fiyon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sapphire.exe.pif

description pid process target process

PID 5912 set thread context of 1504 5912 Sapphire.exe.pif jsc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

description	pid	process	target process
PID 5912 set thread context of 1504	5912	Sapphire.exe.pif	jsc.exe

Drops file in Program Files directory 11 IoCs

Processes:

poweroff.tmpsetup.exe786fiyon.exe

description	ioc	process
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-IMSJ2.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2e0036c4-296c-41c7-a784-03797f92a185.tmp	setup.exe
File created	C:\Program Files\Java\YHELLEWGIV\poweroff.exe.config	786fiyon.exe
File created	C:\Program Files (x86)\Internet Explorer\Gijajadoshae.exe.config	786fiyon.exe
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230129201348.pma	setup.exe
File created	C:\Program Files\Java\YHELLEWGIV\poweroff.exe	786fiyon.exe
File created	C:\Program Files (x86)\Internet Explorer\Gijajadoshae.exe	786fiyon.exe
File created	C:\Program Files (x86)\powerOff\is-SVI9I.tmp	poweroff.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3952	3048	WerFault.exe	rundll32.exe
5096	5584	WerFault.exe	gcleaner.exe
5840	5584	WerFault.exe	gcleaner.exe
2296	5584	WerFault.exe	gcleaner.exe
4720	5584	WerFault.exe	gcleaner.exe
5732	5584	WerFault.exe	gcleaner.exe
4224	5584	WerFault.exe	gcleaner.exe
4376	5584	WerFault.exe	gcleaner.exe
4060	5584	WerFault.exe	gcleaner.exe
428	5584	WerFault.exe	gcleaner.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5096 taskkill.exe

pid	process
5096	taskkill.exe

Modifies registry class 3 IoCs

Processes:

msedge.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{D99E609B-36C0-4569-87BA-8DDFB5291B89}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{AEEC0295-B519-4D1E-9327-4A718454FCDE}	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Gijajadoshae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Gijajadoshae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Gijajadoshae.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2660 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 81 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2660	PING.EXE

description	flow	ioc
HTTP User-Agent header	81	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

poweroff.tmpGijajadoshae.exe

pid	process
4860	poweroff.tmp
4860	poweroff.tmp
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe
1308	Gijajadoshae.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

5160 msedge.exe
5160 msedge.exe
5160 msedge.exe
5160 msedge.exe
5160 msedge.exe

pid	process
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

786fiyon.exeGijajadoshae.exeGijajadoshae.exepowershell.exetaskkill.exepowershell.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	3284	786fiyon.exe
Token: SeDebugPrivilege	1344	Gijajadoshae.exe
Token: SeDebugPrivilege	1308	Gijajadoshae.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1504	jsc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

poweroff.tmpmsedge.exeSapphire.exe.pif

pid process

4860 poweroff.tmp
5160 msedge.exe
5160 msedge.exe
5160 msedge.exe
5912 Sapphire.exe.pif
5912 Sapphire.exe.pif
5912 Sapphire.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sapphire.exe.pif

pid process

5912 Sapphire.exe.pif
5912 Sapphire.exe.pif
5912 Sapphire.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4340 OpenWith.exe

pid	process
5912	Sapphire.exe.pif
5912	Sapphire.exe.pif
5912	Sapphire.exe.pif

pid	process
4340	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.tmp786fiyon.exepoweroff.exepoweroff.tmpGijajadoshae.exeGijajadoshae.exemsedge.execmd.execmd.exe

description	pid	process	target process
PID 516 wrote to memory of 3980	516	file.exe	file.tmp
PID 516 wrote to memory of 3980	516	file.exe	file.tmp
PID 516 wrote to memory of 3980	516	file.exe	file.tmp
PID 3980 wrote to memory of 3284	3980	file.tmp	786fiyon.exe
PID 3980 wrote to memory of 3284	3980	file.tmp	786fiyon.exe
PID 3284 wrote to memory of 1308	3284	786fiyon.exe	Gijajadoshae.exe
PID 3284 wrote to memory of 1308	3284	786fiyon.exe	Gijajadoshae.exe
PID 3284 wrote to memory of 3024	3284	786fiyon.exe	poweroff.exe
PID 3284 wrote to memory of 3024	3284	786fiyon.exe	poweroff.exe
PID 3284 wrote to memory of 3024	3284	786fiyon.exe	poweroff.exe
PID 3284 wrote to memory of 1344	3284	786fiyon.exe	Gijajadoshae.exe
PID 3284 wrote to memory of 1344	3284	786fiyon.exe	Gijajadoshae.exe
PID 3024 wrote to memory of 4860	3024	poweroff.exe	poweroff.tmp
PID 3024 wrote to memory of 4860	3024	poweroff.exe	poweroff.tmp
PID 3024 wrote to memory of 4860	3024	poweroff.exe	poweroff.tmp
PID 4860 wrote to memory of 4796	4860	poweroff.tmp	Power Off.exe
PID 4860 wrote to memory of 4796	4860	poweroff.tmp	Power Off.exe
PID 1308 wrote to memory of 2284	1308	Gijajadoshae.exe	cmd.exe
PID 1308 wrote to memory of 2284	1308	Gijajadoshae.exe	cmd.exe
PID 1344 wrote to memory of 5160	1344	Gijajadoshae.exe	msedge.exe
PID 1344 wrote to memory of 5160	1344	Gijajadoshae.exe	msedge.exe
PID 5160 wrote to memory of 5544	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5544	5160	msedge.exe	msedge.exe
PID 2284 wrote to memory of 5584	2284	cmd.exe	gcleaner.exe
PID 2284 wrote to memory of 5584	2284	cmd.exe	gcleaner.exe
PID 2284 wrote to memory of 5584	2284	cmd.exe	gcleaner.exe
PID 1308 wrote to memory of 5716	1308	Gijajadoshae.exe	cmd.exe
PID 1308 wrote to memory of 5716	1308	Gijajadoshae.exe	cmd.exe
PID 5716 wrote to memory of 5828	5716	cmd.exe	chenp.exe
PID 5716 wrote to memory of 5828	5716	cmd.exe	chenp.exe
PID 5716 wrote to memory of 5828	5716	cmd.exe	chenp.exe
PID 1308 wrote to memory of 5916	1308	Gijajadoshae.exe	cmd.exe
PID 1308 wrote to memory of 5916	1308	Gijajadoshae.exe	cmd.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe
PID 5160 wrote to memory of 5932	5160	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmp" /SL5="$90060,140518,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe
"C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe" /S /UID=95
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe
"C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe /mixfive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 452
7⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 764
7⤵
- Program crash
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 764
7⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 796
7⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 804
7⤵
- Program crash
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 984
7⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 1016
7⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 1356
7⤵
- Program crash
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe" & exit
7⤵
PID:376

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 492
7⤵
- Program crash
PID:428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:5716

C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:5828

C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
"C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe" -h
7⤵
- Executes dropped EXE
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe & exit
5⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe
6⤵
- Executes dropped EXE
PID:1296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe & exit
5⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe
6⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe /TH_ID=_3164 /OriginExe="C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe"
7⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < 64
8⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\certutil.exe
certutil -decode 23 23DDdRqF
10⤵
PID:3092

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jdjfUCLAznmSSizqPiNAzpcaRJECVAbEQRcNMoxDprqvwRmVfhrHtNGeUUnlXpESwUewLGgHNpsdoZdqlJhIbQmela$" 23DDdRqF
10⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\24347\Sapphire.exe.pif
24347\\Sapphire.exe.pif 24347\\a
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
10⤵
- Runs ping.exe
PID:2660

C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe
"C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffccf546f8,0x7fffccf54708,0x7fffccf54718
6⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
6⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
6⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
6⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
6⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
6⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 /prefetch:8
6⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
6⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 /prefetch:8
6⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
6⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
6⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
6⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff788e05460,0x7ff788e05470,0x7ff788e05480
7⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
6⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:8
6⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
6⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16109285727761161238,9555604475601881851,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4204 /prefetch:2
6⤵
PID:3920

C:\Program Files\Java\YHELLEWGIV\poweroff.exe
"C:\Program Files\Java\YHELLEWGIV\poweroff.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp" /SL5="$70028,490199,350720,C:\Program Files\Java\YHELLEWGIV\poweroff.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:4796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:216

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 604
3⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3048 -ip 3048
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5584 -ip 5584
1⤵
PID:3700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5584 -ip 5584
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5584 -ip 5584
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5584 -ip 5584
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5584 -ip 5584
1⤵
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5584 -ip 5584
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5584 -ip 5584
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5584 -ip 5584
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Loads dropped DLL
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5584 -ip 5584
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Java\YHELLEWGIV\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Java\YHELLEWGIV\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
2fed33e740769b42681ce4b9d0d8955d

SHA1
3de687b3494114133e4c154b5d7a671615d13aaa

SHA256
30b946b2512dc5849684b0a5ea05edb3c1ea07b6cd997f32a97b498e7f0f1136

SHA512
1604bde447494e03c6223383cc4a3b0503e7ea40ab746c5d83407fb173b930b1d3a1a10afc5c8a770dcfb46f1fb018281704e57756572d68530f2a9047e9a959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
28KB

MD5
d0d4ca9ef8451751ff0535677dbcf8da

SHA1
5dde1d579605dd83e81b6590d44b717d9bd9f6ee

SHA256
086af9fa57ca7035b56126bde2d8481b35ea5a86b24e3c95cddf1a0db3ff41f5

SHA512
df87ec75c92bc5991294795fd05ad8aa0622e61f4338253ecc25a5284f66bbaa5cd51f74741534c7823018d9b3bd98e78c722e0755b4f7f9d6f9e1fa449cf36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
9a4a28a1aa862cb5582e225faf40e210

SHA1
3d5b6d47a2234564a83ce7dfbc25f2307a430177

SHA256
e6c0b71ecd5cb0620ff163d15967a1e91ac094757dad23c8a66dcf5c332a5f91

SHA512
5c61fb2865613b035edf9648967b936bfa93a041470320c62d49a433e184c6bc25ce621cbac42c0cc410636e2e88f222fc65204decd831c409b3e7323c3aab6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
266798f8baf5678dd40cd8dea79836a5

SHA1
aa3369f17eec312ed393b9036d608e6f32c96180

SHA256
9f6596288e00bb7214c0061e3dfc5e2fa847e3285eac377be5319ba0443015f5

SHA512
0cac0629769986ae383cc92dba04c6763d6996f0198c26abb55abbacf33861c72fae4d93b8b90f9334d839c9483baa6b8a4084d0a4d2fbbae38cb441093f87b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d-a17f0-31d-1f4af-c0b295fcc816e\Gijajadoshae.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Gijajadoshae.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\35-74f75-d75-efa9a-e0d8934a27293\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00000#15
Filesize
703KB

MD5
df71877bb70145c158ee749484d637e5

SHA1
af402cbddb2166c83fe4a22d542442b4e0690768

SHA256
b645ec264e0cfb2bdc9551902fd026c32808c2b3d4837a43c2303151ed994144

SHA512
ba024d5cadc7483f10566da88e99273d5d38c17f9206392f2f3d86fb0d8f75eaeedb11c7b8d57a378089b5e90d45cbd1e1a787b80a6cfdcc7e162342e7d86330

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00001#23
Filesize
1.2MB

MD5
701d6702294745ec4dacfa44185f3a1f

SHA1
2f10d2d401ea759b215df8f226f9aaef292b4078

SHA256
00a8e70fa0887bf3f554be24e02b319c8d2cb272304faed4bcb78349902992e0

SHA512
95ede9988f3cf0a549bf3b28667710683e7936ec7fdd3b4c0ad4e38fda17916d3e5c7cf54b859cea54ff88f25fe487d24db4b8f03ce2d16401b3958de0b8a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\00002#64
Filesize
14KB

MD5
a298fc34bd36502c2feb227ab10877eb

SHA1
3e088657aa4207907e206194149185bc03bdee5d

SHA256
52ba970eecdcb4253474ec350e960d6a4dc3a1e44680ea9a970119129d158191

SHA512
11fb7c57fd29145781bd0ed2ebd0f277fdee06978791a2ccff1b0f84dd4ae4ec165a2622976493d27a852d7ca2118302002b685b1fbb6d71270e0ccaa14728a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe
Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Engine.exe
Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_41388\Setup.txt
Filesize
2KB

MD5
4659c49e470bbfee63e5fb5c3124b5f5

SHA1
f6d8fec5e142f7bef189222876184e7a4f328d77

SHA256
57be12e2d60db927a577b4b6b2a9fc3bb675a45b9800eea0e8f746d4da9baac2

SHA512
3c3d59266297ef361c79c016dd6814e1c762d3d2fb5063d0c5c66a0ce214a163cbff4406c03f91268e967f7fdecd7cfd529a4e5ced5729322cc3d41f9890a895

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe
Filesize
575KB

MD5
6e622962e3b594986c6fb741209dae50

SHA1
d3494b77672360358ca5b7cf8b71aab9efaac3c6

SHA256
20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

SHA512
4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\786fiyon.exe
Filesize
575KB

MD5
6e622962e3b594986c6fb741209dae50

SHA1
d3494b77672360358ca5b7cf8b71aab9efaac3c6

SHA256
20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

SHA512
4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1DS51.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AFF77.tmp\file.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QRTKB.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe
Filesize
1.4MB

MD5
fd165fda80732035427ac5c9536506ac

SHA1
f23998921c36740a05380fc53c1bc5747a19db05

SHA256
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d

SHA512
a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkkvu4cc.pye\CZWWADj.exe
Filesize
1.4MB

MD5
fd165fda80732035427ac5c9536506ac

SHA1
f23998921c36740a05380fc53c1bc5747a19db05

SHA256
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d

SHA512
a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe
Filesize
365KB

MD5
60d0301fc7167e83b90d1a882b771105

SHA1
f73f940aeaab5f0df6133e05257c39e839d29779

SHA256
1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

SHA512
e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmzqsu4.ueu\gcleaner.exe
Filesize
365KB

MD5
60d0301fc7167e83b90d1a882b771105

SHA1
f73f940aeaab5f0df6133e05257c39e839d29779

SHA256
1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

SHA512
e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe
Filesize
3.5MB

MD5
6e7a0b3199263c35b19f7e4c129d3460

SHA1
168fb1c154d0eca4dd386932a7a218c6bd3ca392

SHA256
0d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48

SHA512
ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\swsx2shf.f2h\pb1117.exe
Filesize
3.5MB

MD5
6e7a0b3199263c35b19f7e4c129d3460

SHA1
168fb1c154d0eca4dd386932a7a218c6bd3ca392

SHA256
0d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48

SHA512
ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\23DDdRqF
Filesize
872KB

MD5
bffb8a21a31753c1b89ed768421d6762

SHA1
133606479ee6fc8a60dc2dd3f0a13b62b79da54a

SHA256
5957bb04b17675dde4f67b46c0521ca34245ae2ef30d1107f3bf3a2d2c7b7db7

SHA512
2a76dc72c5d02cfbdd2eba4823b6f62bdf7700ab21709bbbe8f2f13a0bca208ff1b3c4e189e9c93745f33d929b7609065c01b21cc45493f9fac42ebc46186677

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\24347\Sapphire.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhviyzvy.m5c\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
\??\pipe\LOCAL\crashpad_5160_BTPBWNCFDNEEKVCF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-239-0x0000000000000000-mapping.dmp

Download
memory/380-281-0x0000000000000000-mapping.dmp

Download
memory/516-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/516-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/516-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/632-220-0x0000000000000000-mapping.dmp

Download
memory/728-194-0x0000000000000000-mapping.dmp

Download
memory/920-252-0x0000000000000000-mapping.dmp

Download
memory/1040-264-0x0000000000000000-mapping.dmp

Download
memory/1048-230-0x0000000000000000-mapping.dmp

Download
memory/1296-187-0x0000000000000000-mapping.dmp

Download
memory/1296-196-0x0000000140000000-0x000000014061C000-memory.dmp

Filesize
6.1MB

Download
memory/1300-229-0x0000000000000000-mapping.dmp

Download
memory/1308-161-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmp

Filesize
10.2MB

Download
memory/1308-143-0x0000000000000000-mapping.dmp

Download
memory/1344-145-0x0000000000000000-mapping.dmp

Download
memory/1344-162-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmp

Filesize
10.2MB

Download
memory/1364-247-0x0000000000000000-mapping.dmp

Download
memory/1436-258-0x0000000000000000-mapping.dmp

Download
memory/1504-273-0x0000000007B40000-0x0000000007D02000-memory.dmp

Filesize
1.8MB

Download
memory/1504-270-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/1504-279-0x00000000070F0000-0x0000000007166000-memory.dmp

Filesize
472KB

Download
memory/1504-274-0x0000000008240000-0x000000000876C000-memory.dmp

Filesize
5.2MB

Download
memory/1504-272-0x0000000006100000-0x0000000006192000-memory.dmp

Filesize
584KB

Download
memory/1504-277-0x0000000006DC0000-0x0000000006E10000-memory.dmp

Filesize
320KB

Download
memory/1504-266-0x0000000000F80000-0x0000000000FB2000-memory.dmp

Filesize
200KB

Download
memory/1504-268-0x0000000005AE0000-0x00000000060F8000-memory.dmp

Filesize
6.1MB

Download
memory/1504-271-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/1504-269-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/1504-265-0x0000000000000000-mapping.dmp

Download
memory/1820-227-0x0000000000000000-mapping.dmp

Download
memory/1896-186-0x0000000000000000-mapping.dmp

Download
memory/2128-203-0x0000000000000000-mapping.dmp

Download
memory/2284-169-0x0000000000000000-mapping.dmp

Download
memory/2496-244-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/2496-236-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/2496-243-0x00000000060A0000-0x00000000060C2000-memory.dmp

Filesize
136KB

Download
memory/2496-238-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/2496-237-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/2496-242-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/2496-232-0x0000000000000000-mapping.dmp

Download
memory/2496-233-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download
memory/2496-234-0x0000000004CC0000-0x00000000052E8000-memory.dmp

Filesize
6.2MB

Download
memory/2496-235-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

Filesize
136KB

Download
memory/2496-241-0x0000000006D40000-0x0000000006DD6000-memory.dmp

Filesize
600KB

Download
memory/2564-207-0x0000000000000000-mapping.dmp

Download
memory/2576-201-0x0000000000000000-mapping.dmp

Download
memory/2660-256-0x0000000000000000-mapping.dmp

Download
memory/3024-190-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3024-144-0x0000000000000000-mapping.dmp

Download
memory/3024-155-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3024-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3048-209-0x0000000000000000-mapping.dmp

Download
memory/3092-251-0x0000000000000000-mapping.dmp

Download
memory/3284-138-0x0000000000000000-mapping.dmp

Download
memory/3284-141-0x0000000000BD0000-0x0000000000C64000-memory.dmp

Filesize
592KB

Download
memory/3284-142-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3284-157-0x00007FFFCDCD0000-0x00007FFFCE791000-memory.dmp

Filesize
10.8MB

Download
memory/3640-197-0x0000000000000000-mapping.dmp

Download
memory/3768-257-0x0000000000000000-mapping.dmp

Download
memory/3920-282-0x0000000000000000-mapping.dmp

Download
memory/3980-135-0x0000000000000000-mapping.dmp

Download
memory/4044-259-0x0000000000000000-mapping.dmp

Download
memory/4376-191-0x0000000000000000-mapping.dmp

Download
memory/4796-167-0x00007FFFCDD60000-0x00007FFFCE796000-memory.dmp

Filesize
10.2MB

Download
memory/4796-164-0x0000000000000000-mapping.dmp

Download
memory/4860-158-0x0000000000000000-mapping.dmp

Download
memory/4964-250-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4964-262-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4964-221-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4964-215-0x0000000000000000-mapping.dmp

Download
memory/5096-240-0x0000000000000000-mapping.dmp

Download
memory/5160-170-0x0000000000000000-mapping.dmp

Download
memory/5344-231-0x0000000000000000-mapping.dmp

Download
memory/5544-171-0x0000000000000000-mapping.dmp

Download
memory/5584-212-0x0000000000868000-0x000000000088E000-memory.dmp

Filesize
152KB

Download
memory/5584-213-0x0000000001FA0000-0x0000000001FE0000-memory.dmp

Filesize
256KB

Download
memory/5584-245-0x0000000000868000-0x000000000088E000-memory.dmp

Filesize
152KB

Download
memory/5584-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5584-214-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5584-172-0x0000000000000000-mapping.dmp

Download
memory/5716-175-0x0000000000000000-mapping.dmp

Download
memory/5828-176-0x0000000000000000-mapping.dmp

Download
memory/5912-254-0x0000000000000000-mapping.dmp

Download
memory/5916-179-0x0000000000000000-mapping.dmp

Download
memory/5932-181-0x0000000000000000-mapping.dmp

Download
memory/5980-182-0x0000000000000000-mapping.dmp

Download
memory/6000-185-0x0000000000000000-mapping.dmp

Download