gcleaner | 6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

380KB
MD5

4ca2c6f98e9dcd7a4033f8c538a709d3
SHA1

bc4b09303da991614fc7f34ff4ca01b8cf394940
SHA256

6e94d7d6e75439d7112e272506fc394b59e5955c5bb60357beff31a24e6b5bbc
SHA512

3ee08ca3dca33a1bf100e4f6ecb5c44e6f8802ca74028ca04a55065769627369e307ee9d4b302476137fbba716e72ce366fb6514c22bec34187ff38141d57f83
SSDEEP

6144:x/QiQXCKJm+ksmpk3U9jW1U4P9bGOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi3Ks6m6URA3PhGlL//plmW9bTXeVh8

Score

10^/10

gcleaner redline main discovery evasion infostealer loader persistence spyware upx vmprotect

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

redline

Botnet

main

birja1.com:29658

Attributes

auth_value
7a6d3334d5db5d02c16eec7633780063

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11012 2404 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

786fiyon.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 786fiyon.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	11012	2404	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	786fiyon.exe

Executes dropped EXE 14 IoCs

Processes:

file.tmp786fiyon.exeTohobuzhene.exeTohobuzhene.exepoweroff.exepoweroff.tmpPower Off.exegcleaner.exechenp.exechenp.exepb1117.exeCZWWADj.exeEngine.exeSapphire.exe.pif

pid	process
2240	file.tmp
3436	786fiyon.exe
5116	Tohobuzhene.exe
4344	Tohobuzhene.exe
4984	poweroff.exe
4612	poweroff.tmp
2324	Power Off.exe
10052	gcleaner.exe
10672	chenp.exe
10736	chenp.exe
10860	pb1117.exe
10976	CZWWADj.exe
10420	Engine.exe
1608	Sapphire.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe	upx
behavioral2/memory/10420-207-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/10420-237-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/10420-238-0x0000000000400000-0x0000000000558000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe	vmprotect
behavioral2/memory/10860-186-0x0000000140000000-0x000000014061C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

786fiyon.exeTohobuzhene.exechenp.exegcleaner.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	786fiyon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Tohobuzhene.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gcleaner.exe

Loads dropped DLL 2 IoCs

Processes:

file.tmprundll32.exe

pid process

2240 file.tmp
11036 rundll32.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

786fiyon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Tohobuzhene.exe\""	786fiyon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Sapphire.exe.pif

description pid process target process

PID 1608 set thread context of 5888 1608 Sapphire.exe.pif jsc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

description	pid	process	target process
PID 1608 set thread context of 5888	1608	Sapphire.exe.pif	jsc.exe

Drops file in Program Files directory 9 IoCs

Processes:

786fiyon.exepoweroff.tmp

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe.config	786fiyon.exe
File created	C:\Program Files (x86)\Internet Explorer\Tohobuzhene.exe	786fiyon.exe
File created	C:\Program Files (x86)\Internet Explorer\Tohobuzhene.exe.config	786fiyon.exe
File created	C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe	786fiyon.exe
File created	C:\Program Files (x86)\powerOff\is-FGOUK.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-5JT1C.tmp	poweroff.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
11124	11036	WerFault.exe	rundll32.exe
11172	10052	WerFault.exe	gcleaner.exe
4376	10052	WerFault.exe	gcleaner.exe
2000	10052	WerFault.exe	gcleaner.exe
3120	10052	WerFault.exe	gcleaner.exe
2476	10052	WerFault.exe	gcleaner.exe
2300	10052	WerFault.exe	gcleaner.exe
1248	10052	WerFault.exe	gcleaner.exe
2288	10052	WerFault.exe	gcleaner.exe
2084	10052	WerFault.exe	gcleaner.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exesvchost.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2352 taskkill.exe

pid	process
2352	taskkill.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{D1AF077B-C81C-4395-9C8A-E41A56ECDD65}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{8FB31330-4244-4A01-838E-805BF20586E5}	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Tohobuzhene.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Tohobuzhene.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Tohobuzhene.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4364 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4364	PING.EXE

description	flow	ioc
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

poweroff.tmpTohobuzhene.exe

pid	process
4612	poweroff.tmp
4612	poweroff.tmp
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe
5116	Tohobuzhene.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

786fiyon.exeTohobuzhene.exeTohobuzhene.exepowershell.exetaskkill.exepowershell.exedw20.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	3436	786fiyon.exe
Token: SeDebugPrivilege	5116	Tohobuzhene.exe
Token: SeDebugPrivilege	4344	Tohobuzhene.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeBackupPrivilege	5128	dw20.exe
Token: SeBackupPrivilege	5128	dw20.exe
Token: SeDebugPrivilege	5888	jsc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

poweroff.tmpSapphire.exe.pif

pid process

4612 poweroff.tmp
1608 Sapphire.exe.pif
1608 Sapphire.exe.pif
1608 Sapphire.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sapphire.exe.pif

pid process

1608 Sapphire.exe.pif
1608 Sapphire.exe.pif
1608 Sapphire.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2516 OpenWith.exe

pid	process
1608	Sapphire.exe.pif
1608	Sapphire.exe.pif
1608	Sapphire.exe.pif

pid	process
2516	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.tmp786fiyon.exepoweroff.exepoweroff.tmpTohobuzhene.execmd.execmd.exechenp.execmd.execmd.exerundll32.exeCZWWADj.exeEngine.exeCmD.execmd.exegcleaner.execmd.exe

description	pid	process	target process
PID 4212 wrote to memory of 2240	4212	file.exe	file.tmp
PID 4212 wrote to memory of 2240	4212	file.exe	file.tmp
PID 4212 wrote to memory of 2240	4212	file.exe	file.tmp
PID 2240 wrote to memory of 3436	2240	file.tmp	786fiyon.exe
PID 2240 wrote to memory of 3436	2240	file.tmp	786fiyon.exe
PID 3436 wrote to memory of 5116	3436	786fiyon.exe	Tohobuzhene.exe
PID 3436 wrote to memory of 5116	3436	786fiyon.exe	Tohobuzhene.exe
PID 3436 wrote to memory of 4344	3436	786fiyon.exe	Tohobuzhene.exe
PID 3436 wrote to memory of 4344	3436	786fiyon.exe	Tohobuzhene.exe
PID 3436 wrote to memory of 4984	3436	786fiyon.exe	poweroff.exe
PID 3436 wrote to memory of 4984	3436	786fiyon.exe	poweroff.exe
PID 3436 wrote to memory of 4984	3436	786fiyon.exe	poweroff.exe
PID 4984 wrote to memory of 4612	4984	poweroff.exe	poweroff.tmp
PID 4984 wrote to memory of 4612	4984	poweroff.exe	poweroff.tmp
PID 4984 wrote to memory of 4612	4984	poweroff.exe	poweroff.tmp
PID 4612 wrote to memory of 2324	4612	poweroff.tmp	Power Off.exe
PID 4612 wrote to memory of 2324	4612	poweroff.tmp	Power Off.exe
PID 5116 wrote to memory of 8440	5116	Tohobuzhene.exe	cmd.exe
PID 5116 wrote to memory of 8440	5116	Tohobuzhene.exe	cmd.exe
PID 8440 wrote to memory of 10052	8440	cmd.exe	gcleaner.exe
PID 8440 wrote to memory of 10052	8440	cmd.exe	gcleaner.exe
PID 8440 wrote to memory of 10052	8440	cmd.exe	gcleaner.exe
PID 5116 wrote to memory of 10620	5116	Tohobuzhene.exe	cmd.exe
PID 5116 wrote to memory of 10620	5116	Tohobuzhene.exe	cmd.exe
PID 10620 wrote to memory of 10672	10620	cmd.exe	chenp.exe
PID 10620 wrote to memory of 10672	10620	cmd.exe	chenp.exe
PID 10620 wrote to memory of 10672	10620	cmd.exe	chenp.exe
PID 10672 wrote to memory of 10736	10672	chenp.exe	chenp.exe
PID 10672 wrote to memory of 10736	10672	chenp.exe	chenp.exe
PID 10672 wrote to memory of 10736	10672	chenp.exe	chenp.exe
PID 5116 wrote to memory of 10800	5116	Tohobuzhene.exe	cmd.exe
PID 5116 wrote to memory of 10800	5116	Tohobuzhene.exe	cmd.exe
PID 10800 wrote to memory of 10860	10800	cmd.exe	pb1117.exe
PID 10800 wrote to memory of 10860	10800	cmd.exe	pb1117.exe
PID 5116 wrote to memory of 10924	5116	Tohobuzhene.exe	cmd.exe
PID 5116 wrote to memory of 10924	5116	Tohobuzhene.exe	cmd.exe
PID 10924 wrote to memory of 10976	10924	cmd.exe	CZWWADj.exe
PID 10924 wrote to memory of 10976	10924	cmd.exe	CZWWADj.exe
PID 10924 wrote to memory of 10976	10924	cmd.exe	CZWWADj.exe
PID 11012 wrote to memory of 11036	11012	rundll32.exe	rundll32.exe
PID 11012 wrote to memory of 11036	11012	rundll32.exe	rundll32.exe
PID 11012 wrote to memory of 11036	11012	rundll32.exe	rundll32.exe
PID 10976 wrote to memory of 10420	10976	CZWWADj.exe	Engine.exe
PID 10976 wrote to memory of 10420	10976	CZWWADj.exe	Engine.exe
PID 10976 wrote to memory of 10420	10976	CZWWADj.exe	Engine.exe
PID 10420 wrote to memory of 4076	10420	Engine.exe	CmD.exe
PID 10420 wrote to memory of 4076	10420	Engine.exe	CmD.exe
PID 10420 wrote to memory of 4076	10420	Engine.exe	CmD.exe
PID 4076 wrote to memory of 5008	4076	CmD.exe	cmd.exe
PID 4076 wrote to memory of 5008	4076	CmD.exe	cmd.exe
PID 4076 wrote to memory of 5008	4076	CmD.exe	cmd.exe
PID 5008 wrote to memory of 712	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 712	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 712	5008	cmd.exe	powershell.exe
PID 10052 wrote to memory of 1604	10052	gcleaner.exe	cmd.exe
PID 10052 wrote to memory of 1604	10052	gcleaner.exe	cmd.exe
PID 10052 wrote to memory of 1604	10052	gcleaner.exe	cmd.exe
PID 1604 wrote to memory of 2352	1604	cmd.exe	taskkill.exe
PID 1604 wrote to memory of 2352	1604	cmd.exe	taskkill.exe
PID 1604 wrote to memory of 2352	1604	cmd.exe	taskkill.exe
PID 5008 wrote to memory of 3476	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 3476	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 3476	5008	cmd.exe	powershell.exe
PID 5008 wrote to memory of 1584	5008	cmd.exe	certutil.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-OD2VJ.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OD2VJ.tmp\file.tmp" /SL5="$30050,140518,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\is-VTEPR.tmp\786fiyon.exe
"C:\Users\Admin\AppData\Local\Temp\is-VTEPR.tmp\786fiyon.exe" /S /UID=95
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Tohobuzhene.exe
"C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Tohobuzhene.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe /mixfive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:8440

C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:10052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 460
7⤵
- Program crash
PID:11172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 764
7⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 772
7⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 816
7⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 824
7⤵
- Program crash
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 984
7⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 1016
7⤵
- Program crash
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 1348
7⤵
- Program crash
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10052 -s 1372
7⤵
- Program crash
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:10620

C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:10672

C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
"C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe" -h
7⤵
- Executes dropped EXE
PID:10736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:10800

C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe
6⤵
- Executes dropped EXE
PID:10860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:10924

C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe
C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:10976

C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe /TH_ID=_10980 /OriginExe="C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:10420

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < 64
8⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\certutil.exe
certutil -decode 23 23DDdRqF
10⤵
PID:1584

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^jdjfUCLAznmSSizqPiNAzpcaRJECVAbEQRcNMoxDprqvwRmVfhrHtNGeUUnlXpESwUewLGgHNpsdoZdqlJhIbQmela$" 23DDdRqF
10⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\3548\Sapphire.exe.pif
3548\\Sapphire.exe.pif 3548\\a
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:5888

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
10⤵
- Runs ping.exe
PID:4364

C:\Users\Admin\AppData\Local\Temp\33-ea138-928-73bb2-3fc745e9c9327\Tohobuzhene.exe
"C:\Users\Admin\AppData\Local\Temp\33-ea138-928-73bb2-3fc745e9c9327\Tohobuzhene.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1512
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5128

C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe
"C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\is-UK9AI.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UK9AI.tmp\poweroff.tmp" /SL5="$601E2,490199,350720,C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4612

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:11012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:11036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11036 -s 600
3⤵
- Program crash
PID:11124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 11036 -ip 11036
1⤵
PID:11096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 10052 -ip 10052
1⤵
PID:11152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 10052 -ip 10052
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 10052 -ip 10052
1⤵
PID:428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10052 -ip 10052
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 10052 -ip 10052
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 10052 -ip 10052
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 10052 -ip 10052
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 10052 -ip 10052
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 10052 -ip 10052
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:5676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files (x86)\powerOff\Power Off.exe
Filesize
621KB

MD5
8d0b18eb87590fa654da3704092b122b

SHA1
aaf4417695904bd718def564b2c1dae40623cc1d

SHA256
f9d12723a5ac3ade8212b4ec2f2b8452b7deb10e071bcb4e50a9cb6cb85b1457

SHA512
fa54fad936e96ecabfab70f29fe5095b60ce5bfa7f31f6c405c42ad4f4f153ec7406d03d0451e11e886722abf28f09b219d3e8d9a703f20cb67b0950d8b70828

Download Submit
C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Windows Portable Devices\BUIZRESTMF\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2f99bcbd6c206841e0f19e270a5ea2d6

SHA1
394a13146550e4735c7cd332d1cd79c200961292

SHA256
3cf663aa97db01fe1121dfee285e9a12ecc10164db92a6d8dbd13fcb4de6144d

SHA512
673bf596461e490e1d6450a0e454d468e630d3fa10bb6fa737a0c715693344f094934d7deb137d7511fea038406dfce40b09c9e15cf926176d5be945a853263e

Download Submit
C:\Users\Admin\AppData\Local\Temp\33-ea138-928-73bb2-3fc745e9c9327\Tohobuzhene.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\33-ea138-928-73bb2-3fc745e9c9327\Tohobuzhene.exe
Filesize
586KB

MD5
208e4cd441cdd40a55ee0fc96316e331

SHA1
cddcd13535391b96c8ec650a22f1503f93ca092c

SHA256
2f1a9b94d5fce31cab6e35b22b00e4f73b80582d3635ba113a10b2caa5015431

SHA512
bb7891ab9afbe99ce7f0235c155ebe943f8790fcd7bbe1b4420960c2b703f4c96aae84dd8005704fb79bb7edc0f1e4e3270f12bdce060cb8936b6bad0c814651

Download Submit
C:\Users\Admin\AppData\Local\Temp\33-ea138-928-73bb2-3fc745e9c9327\Tohobuzhene.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Tohobuzhene.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Tohobuzhene.exe
Filesize
377KB

MD5
97627b2f5f03f91345b467a2a4b34e1a

SHA1
863ef84ed38a90a5141b381d074f417e3ff0b5fc

SHA256
45570616c6bc66ad969a2b343240794096ce515103abea1eb7d4fbcf099bcebc

SHA512
7a738404b761ad637f0f106144d746d6bc97d03e8adfed4c8a7c60cab22e4b2138dcbf9d185d753b92ad9f3de56689932225fd555ff556dbc6c5269d9600d0c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\65-04b35-423-bbab9-72d5b65fb8d59\Tohobuzhene.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\00000#15
Filesize
703KB

MD5
df71877bb70145c158ee749484d637e5

SHA1
af402cbddb2166c83fe4a22d542442b4e0690768

SHA256
b645ec264e0cfb2bdc9551902fd026c32808c2b3d4837a43c2303151ed994144

SHA512
ba024d5cadc7483f10566da88e99273d5d38c17f9206392f2f3d86fb0d8f75eaeedb11c7b8d57a378089b5e90d45cbd1e1a787b80a6cfdcc7e162342e7d86330

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\00001#23
Filesize
1.2MB

MD5
701d6702294745ec4dacfa44185f3a1f

SHA1
2f10d2d401ea759b215df8f226f9aaef292b4078

SHA256
00a8e70fa0887bf3f554be24e02b319c8d2cb272304faed4bcb78349902992e0

SHA512
95ede9988f3cf0a549bf3b28667710683e7936ec7fdd3b4c0ad4e38fda17916d3e5c7cf54b859cea54ff88f25fe487d24db4b8f03ce2d16401b3958de0b8a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\00002#64
Filesize
14KB

MD5
a298fc34bd36502c2feb227ab10877eb

SHA1
3e088657aa4207907e206194149185bc03bdee5d

SHA256
52ba970eecdcb4253474ec350e960d6a4dc3a1e44680ea9a970119129d158191

SHA512
11fb7c57fd29145781bd0ed2ebd0f277fdee06978791a2ccff1b0f84dd4ae4ec165a2622976493d27a852d7ca2118302002b685b1fbb6d71270e0ccaa14728a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe
Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Engine.exe
Filesize
392KB

MD5
debfb007af59891f08aaa75bff0e0df0

SHA1
cb00e41eeb60bc27cd32aad7adfc347a2b0e8f87

SHA256
e5a077d2a393e938f9cd7a2529f8b71a81f15406c2f19b878eb4ffdb15d483c7

SHA512
1bb3effddb47b30b9d7780cc05cb26061c8f6362c808bbca78a24833ca1884d4c2072eda6a5213a51458f2e0b9036f204a4f50ea771ba6294ac9c051b28832c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_43474\Setup.txt
Filesize
2KB

MD5
4659c49e470bbfee63e5fb5c3124b5f5

SHA1
f6d8fec5e142f7bef189222876184e7a4f328d77

SHA256
57be12e2d60db927a577b4b6b2a9fc3bb675a45b9800eea0e8f746d4da9baac2

SHA512
3c3d59266297ef361c79c016dd6814e1c762d3d2fb5063d0c5c66a0ce214a163cbff4406c03f91268e967f7fdecd7cfd529a4e5ced5729322cc3d41f9890a895

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe
Filesize
1.4MB

MD5
fd165fda80732035427ac5c9536506ac

SHA1
f23998921c36740a05380fc53c1bc5747a19db05

SHA256
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d

SHA512
a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcgjnylp.ixr\CZWWADj.exe
Filesize
1.4MB

MD5
fd165fda80732035427ac5c9536506ac

SHA1
f23998921c36740a05380fc53c1bc5747a19db05

SHA256
06ccee05be0cb619beb6729d90111bb77577c68de4d2a07c60166ce541a6103d

SHA512
a58425dc863f6af016233367efed8476cb4177aac90ea623fc0b4df6a4ad3b4df99dc26cf14cc3f61bf24a74ab4043dc3454004e788e6c7e12fb901c8767b9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
0b35335b70b96d31633d0caa207d71f9

SHA1
996c7804fe4d85025e2bd7ea8aa5e33c71518f84

SHA256
ec01d244074f45d4f698f5713147e99d76053824a648b306e1debf69f3ba9ce6

SHA512
ab3d770e99b3f379165863808f3ffc55d64d8e9384a158e6695d7325e97fa1bb570c5088ccdc1d2c3b90df5be11d6722ede15e7b6552bf90e748cb9c28ab94ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe
Filesize
3.5MB

MD5
6e7a0b3199263c35b19f7e4c129d3460

SHA1
168fb1c154d0eca4dd386932a7a218c6bd3ca392

SHA256
0d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48

SHA512
ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ell5fjgq.snw\pb1117.exe
Filesize
3.5MB

MD5
6e7a0b3199263c35b19f7e4c129d3460

SHA1
168fb1c154d0eca4dd386932a7a218c6bd3ca392

SHA256
0d5785c534c6d2a4bd5fe6c7a6d06523fa85511be1d950515f1be68516295b48

SHA512
ec95c79cf3e24bfbaf4833cb261c6f5e28b092dd8a34d8601b39dacb186bdaddf46315c68c616c139115497af4a10cf7e528d95e4651b4c9b225cee2ab3a3eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OD2VJ.tmp\file.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UK9AI.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UK9AI.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VTEPR.tmp\786fiyon.exe
Filesize
575KB

MD5
6e622962e3b594986c6fb741209dae50

SHA1
d3494b77672360358ca5b7cf8b71aab9efaac3c6

SHA256
20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

SHA512
4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VTEPR.tmp\786fiyon.exe
Filesize
575KB

MD5
6e622962e3b594986c6fb741209dae50

SHA1
d3494b77672360358ca5b7cf8b71aab9efaac3c6

SHA256
20abfee8beab1d2162dff8f81023f1c0678cd16c0aeaf6d1d0eada5331a52279

SHA512
4498cea1decb1aa8f1fba950b3de00572a2d5171c858470011267106e0423c1d16ff06766518be67ca7fd3aa9bdb3f5750032a1acb3a4ac445487271317f03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VTEPR.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2d5qsin.omp\chenp.exe
Filesize
160KB

MD5
861253a1ff4bdacab4ddd1a1df3efc50

SHA1
5512ad9b91d5c5972ac0a4c5f0f28d966054807c

SHA256
9a3a87d0f2eeeca3e36bbaef7833c44f20e6162075c7cea9a89bce15d3d2269d

SHA512
39751c804a3ec9184f031d30682caae9232dfa00e0c00c7dbd2e09bc640147822f633593546b249b92be6f8896a1cabb08c8d70888d0082d3735be32f60d8927

Download Submit
C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe
Filesize
365KB

MD5
60d0301fc7167e83b90d1a882b771105

SHA1
f73f940aeaab5f0df6133e05257c39e839d29779

SHA256
1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

SHA512
e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\psgpsyju.nr4\gcleaner.exe
Filesize
365KB

MD5
60d0301fc7167e83b90d1a882b771105

SHA1
f73f940aeaab5f0df6133e05257c39e839d29779

SHA256
1aeec1ada070c9ae4f48bb8d3d9d783932cd767d765f12e3b5db67ad5224d2fa

SHA512
e04079a8e14354f0a54f266cb58aa5a1117427834cd53551a98b09439058181a8268e6e8b74d725e4b3fef8387ad8e476e4fcae3fee40d6c9bf99a9fc2bec58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\23DDdRqF
Filesize
872KB

MD5
bffb8a21a31753c1b89ed768421d6762

SHA1
133606479ee6fc8a60dc2dd3f0a13b62b79da54a

SHA256
5957bb04b17675dde4f67b46c0521ca34245ae2ef30d1107f3bf3a2d2c7b7db7

SHA512
2a76dc72c5d02cfbdd2eba4823b6f62bdf7700ab21709bbbe8f2f13a0bca208ff1b3c4e189e9c93745f33d929b7609065c01b21cc45493f9fac42ebc46186677

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmq2swfe.f5a\3548\Sapphire.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/712-216-0x0000000004B70000-0x0000000004B92000-memory.dmp

Filesize
136KB

Download
memory/712-214-0x0000000004C50000-0x0000000005278000-memory.dmp

Filesize
6.2MB

Download
memory/712-224-0x0000000006020000-0x000000000603A000-memory.dmp

Filesize
104KB

Download
memory/712-226-0x00000000070A0000-0x0000000007644000-memory.dmp

Filesize
5.6MB

Download
memory/712-223-0x00000000060A0000-0x0000000006136000-memory.dmp

Filesize
600KB

Download
memory/712-212-0x0000000000000000-mapping.dmp

Download
memory/712-220-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/712-213-0x0000000002230000-0x0000000002266000-memory.dmp

Filesize
216KB

Download
memory/712-225-0x0000000006070000-0x0000000006092000-memory.dmp

Filesize
136KB

Download
memory/712-218-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/712-217-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/1052-231-0x0000000000000000-mapping.dmp

Download
memory/1584-230-0x0000000000000000-mapping.dmp

Download
memory/1604-215-0x0000000000000000-mapping.dmp

Download
memory/1608-233-0x0000000000000000-mapping.dmp

Download
memory/2240-135-0x0000000000000000-mapping.dmp

Download
memory/2324-162-0x0000000000000000-mapping.dmp

Download
memory/2324-165-0x00007FF8C2640000-0x00007FF8C3076000-memory.dmp

Filesize
10.2MB

Download
memory/2352-219-0x0000000000000000-mapping.dmp

Download
memory/3436-138-0x0000000000000000-mapping.dmp

Download
memory/3436-168-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3436-170-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3436-141-0x0000000000E40000-0x0000000000ED4000-memory.dmp

Filesize
592KB

Download
memory/3436-142-0x00007FF8CBCA0000-0x00007FF8CC761000-memory.dmp

Filesize
10.8MB

Download
memory/3476-227-0x0000000000000000-mapping.dmp

Download
memory/4076-210-0x0000000000000000-mapping.dmp

Download
memory/4212-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4212-166-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4212-171-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4212-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4344-160-0x00007FF8C2640000-0x00007FF8C3076000-memory.dmp

Filesize
10.2MB

Download
memory/4344-147-0x0000000000000000-mapping.dmp

Download
memory/4364-235-0x0000000000000000-mapping.dmp

Download
memory/4612-156-0x0000000000000000-mapping.dmp

Download
memory/4984-157-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4984-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4984-169-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4984-151-0x0000000000000000-mapping.dmp

Download
memory/5008-211-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x00007FF8C2640000-0x00007FF8C3076000-memory.dmp

Filesize
10.2MB

Download
memory/5116-143-0x0000000000000000-mapping.dmp

Download
memory/5128-236-0x0000000000000000-mapping.dmp

Download
memory/5888-239-0x0000000000000000-mapping.dmp

Download
memory/5888-250-0x0000000007170000-0x00000000071C0000-memory.dmp

Filesize
320KB

Download
memory/5888-249-0x00000000070F0000-0x0000000007166000-memory.dmp

Filesize
472KB

Download
memory/5888-248-0x00000000085C0000-0x0000000008AEC000-memory.dmp

Filesize
5.2MB

Download
memory/5888-247-0x0000000007EC0000-0x0000000008082000-memory.dmp

Filesize
1.8MB

Download
memory/5888-246-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/5888-245-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/5888-244-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/5888-243-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/5888-242-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/5888-240-0x0000000000F50000-0x0000000000F82000-memory.dmp

Filesize
200KB

Download
memory/8440-172-0x0000000000000000-mapping.dmp

Download
memory/10052-221-0x0000000000538000-0x000000000055F000-memory.dmp

Filesize
156KB

Download
memory/10052-200-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/10052-199-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/10052-198-0x0000000000538000-0x000000000055F000-memory.dmp

Filesize
156KB

Download
memory/10052-173-0x0000000000000000-mapping.dmp

Download
memory/10052-222-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/10420-207-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/10420-201-0x0000000000000000-mapping.dmp

Download
memory/10420-237-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/10420-238-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/10620-176-0x0000000000000000-mapping.dmp

Download
memory/10672-177-0x0000000000000000-mapping.dmp

Download
memory/10736-180-0x0000000000000000-mapping.dmp

Download
memory/10800-182-0x0000000000000000-mapping.dmp

Download
memory/10860-183-0x0000000000000000-mapping.dmp

Download
memory/10860-186-0x0000000140000000-0x000000014061C000-memory.dmp

Filesize
6.1MB

Download
memory/10924-190-0x0000000000000000-mapping.dmp

Download
memory/10976-191-0x0000000000000000-mapping.dmp

Download
memory/11036-195-0x0000000000000000-mapping.dmp

Download