b54ba4ba78226ae1209a7b44fba1e620e312fd03fbd5f51f3756511b3720ae88

Analysis

max time kernel
169s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gyazo-4.5.1.exe
Size

14.3MB
MD5

974a311c7403249bdfd7925ab8643a77
SHA1

cd386f131a13fa7bfeb8cf073d81b8e2dbd3d389
SHA256

b54ba4ba78226ae1209a7b44fba1e620e312fd03fbd5f51f3756511b3720ae88
SHA512

686d03c56ab48537418e12edd7b235dec217e57824a0b06ea88a1e24cfcdb507302c4fa623b4542753d01ec3762e643a336a550c5f0dbcab3bf6f162d68dce13
SSDEEP

393216://BH5NkNQAQvvBMVlMxgFNV7tDviIbty3+kSrJQKqX8r:RHE2Aw+RNdV03+kSrJQKVr

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Gyazo-4.5.1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Gyazowin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	GyStation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Gyazowin.exe

Executes dropped EXE 9 IoCs

pid	Process
5068	Gyazo-4.5.1.tmp
1464	GyStation.exe
4444	GyStation.exe
320	GyStation.exe
2232	Gyazowin.exe
4280	GyOnboarding.exe
4856	Gyazowin.exe
3000	GyazoGIF.exe
1232	GyazoReplay.exe

Loads dropped DLL 64 IoCs

pid	Process
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
320	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
320	GyStation.exe
320	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	Gyazo-4.5.1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gyazo	Gyazo-4.5.1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gyazo = "C:\\Program Files (x86)\\Gyazo\\GyStation.exe"	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gyazo\is-96HE7.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-NDAMF.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-9PNM9.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\ja-JP\GyStation.resources.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Gyazo.Error.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\GoogleMeasurementProtocol.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\NAudio.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\GyStation.exe	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\ja-JP\GyazoReplay.resources.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\ja-JP\is-R3OE1.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-4UNQN.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-CDAHL.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-PLPH0.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\MetroRadiance.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Core.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Microsoft.Threading.Tasks.Extensions.Desktop.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Nito.AsyncEx.Enlightenment.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-0D720.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\MFVideoEncoder.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\GyOnboarding.exe	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Microsoft.Threading.Tasks.Extensions.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-MU4JH.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Newtonsoft.Json.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-47MMC.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-4JO92.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Microsoft.Expression.Interactions.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-6890S.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-TB2CC.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-AB8GL.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c2d65d63-1f7d-47de-9c7e-552a94ab778d.tmp	setup.exe
File created	C:\Program Files (x86)\Gyazo\is-U9PLJ.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Converters.Wpf.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\GyazoReplay.exe	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Runtime.Wpf.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-BJHRI.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Rendering.Wpf.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-MBJPT.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-URH8A.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Gyazowin.exe	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\JumpList.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\Gyazo.Model.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\ReactiveProperty.NET45.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\unins000.msg	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\unins000.dat	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpRaven.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Css.dll	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-HED27.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-2GI3V.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-PP3MF.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpAvi.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\WindowCapture.exe	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-0P0FF.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-2VDUE.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-UMOQF.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\System.Windows.Interactivity.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\SharpVectors.Model.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\VerifySign.exe	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\ja-JP\is-1I4ML.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-ETB5O.tmp	Gyazo-4.5.1.tmp
File created	C:\Program Files (x86)\Gyazo\is-NV7FI.tmp	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\ReactiveProperty.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\System.Reactive.PlatformServices.dll	Gyazo-4.5.1.tmp
File opened for modification	C:\Program Files (x86)\Gyazo\lame.exe	Gyazo-4.5.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
324	schtasks.exe
2372	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "19"	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com\ = "19"	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com\Total = "19"	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com\ = "0"	GyOnboarding.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\gyazo.com	GyOnboarding.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GyOnboarding.exe = "11001"	GyOnboarding.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL\GyOnboarding.exe = "1"	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com\NumberOfSubdomains = "1"	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\gyazo.com\Total = "0"	GyOnboarding.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	GyOnboarding.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	GyOnboarding.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell\Gyazo\ = "Send to Gyazo (&G)"	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell\Gyazo\command	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell\Gyazo\command\ = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\" \"%1\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell\Gyazo\command\ = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\" \"%1\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell\Gyazo\command	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell\Gyazo\Icon = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell\Gyazo	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell\Gyazo\command	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell\Gyazo\ = "Send to Gyazo (&G)"	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell\Gyazo\Icon = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell\Gyazo\command	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell\Gyazo\command\ = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\" \"%1\""	GyStation.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{0F601FE7-CD47-412C-B619-682371E33C88}	GyOnboarding.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell\Gyazo	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell\Gyazo\ = "Send to Gyazo (&G)"	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell\Gyazo	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell\Gyazo\command\ = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\" \"%1\""	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell\Gyazo\Icon = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\""	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell\Gyazo\Icon = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell\Gyazo	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell\Gyazo\ = "Send to Gyazo (&G)"	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell\Gyazo\command\ = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\" \"%1\""	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.png\shell\Gyazo\ = "Send to Gyazo (&G)"	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell	GyStation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.gif\shell\Gyazo\Icon = "\"C:\\Program Files (x86)\\Gyazo\\Gyazowin.exe\""	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.webp\shell\Gyazo	GyStation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpg\shell	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell	GyStation.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SystemFileAssociations\.jpeg\shell\Gyazo\command	GyStation.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5068	Gyazo-4.5.1.tmp
5068	Gyazo-4.5.1.tmp
2232	Gyazowin.exe
2232	Gyazowin.exe
4280	GyOnboarding.exe
4280	GyOnboarding.exe
4540	msedge.exe
4540	msedge.exe
1512	msedge.exe
1512	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	GyStation.exe
Token: SeDebugPrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: SeShutdownPrivilege	4280	GyOnboarding.exe
Token: SeCreatePagefilePrivilege	4280	GyOnboarding.exe
Token: 33	2648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2648	AUDIODG.EXE
Token: SeDebugPrivilege	3000	GyazoGIF.exe
Token: SeDebugPrivilege	1232	GyazoReplay.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
5068	Gyazo-4.5.1.tmp
4444	GyStation.exe
320	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
4280	GyOnboarding.exe
4280	GyOnboarding.exe
4280	GyOnboarding.exe
4280	GyOnboarding.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4444	GyStation.exe
320	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe
320	GyStation.exe
320	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
1464	GyStation.exe
4444	GyStation.exe
4444	GyStation.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1464	GyStation.exe
4280	GyOnboarding.exe
4280	GyOnboarding.exe
2232	Gyazowin.exe
2232	Gyazowin.exe
4856	Gyazowin.exe
4856	Gyazowin.exe
1464	GyStation.exe
1464	GyStation.exe
1464	GyStation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 5068	4892	Gyazo-4.5.1.exe	82
PID 4892 wrote to memory of 5068	4892	Gyazo-4.5.1.exe	82
PID 4892 wrote to memory of 5068	4892	Gyazo-4.5.1.exe	82
PID 5068 wrote to memory of 1464	5068	Gyazo-4.5.1.tmp	84
PID 5068 wrote to memory of 1464	5068	Gyazo-4.5.1.tmp	84
PID 5068 wrote to memory of 1464	5068	Gyazo-4.5.1.tmp	84
PID 5068 wrote to memory of 4444	5068	Gyazo-4.5.1.tmp	85
PID 5068 wrote to memory of 4444	5068	Gyazo-4.5.1.tmp	85
PID 5068 wrote to memory of 4444	5068	Gyazo-4.5.1.tmp	85
PID 5068 wrote to memory of 320	5068	Gyazo-4.5.1.tmp	86
PID 5068 wrote to memory of 320	5068	Gyazo-4.5.1.tmp	86
PID 5068 wrote to memory of 320	5068	Gyazo-4.5.1.tmp	86
PID 5068 wrote to memory of 324	5068	Gyazo-4.5.1.tmp	87
PID 5068 wrote to memory of 324	5068	Gyazo-4.5.1.tmp	87
PID 5068 wrote to memory of 324	5068	Gyazo-4.5.1.tmp	87
PID 5068 wrote to memory of 2372	5068	Gyazo-4.5.1.tmp	90
PID 5068 wrote to memory of 2372	5068	Gyazo-4.5.1.tmp	90
PID 5068 wrote to memory of 2372	5068	Gyazo-4.5.1.tmp	90
PID 5068 wrote to memory of 2232	5068	Gyazo-4.5.1.tmp	94
PID 5068 wrote to memory of 2232	5068	Gyazo-4.5.1.tmp	94
PID 5068 wrote to memory of 2232	5068	Gyazo-4.5.1.tmp	94
PID 2232 wrote to memory of 4280	2232	Gyazowin.exe	95
PID 2232 wrote to memory of 4280	2232	Gyazowin.exe	95
PID 2232 wrote to memory of 4280	2232	Gyazowin.exe	95
PID 2232 wrote to memory of 1512	2232	Gyazowin.exe	105
PID 2232 wrote to memory of 1512	2232	Gyazowin.exe	105
PID 1512 wrote to memory of 3996	1512	msedge.exe	106
PID 1512 wrote to memory of 3996	1512	msedge.exe	106
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107
PID 1512 wrote to memory of 1500	1512	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\Gyazo-4.5.1.exe
"C:\Users\Admin\AppData\Local\Temp\Gyazo-4.5.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\is-HEMMO.tmp\Gyazo-4.5.1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HEMMO.tmp\Gyazo-4.5.1.tmp" /SL5="$200FE,14400491,141824,C:\Users\Admin\AppData\Local\Temp\Gyazo-4.5.1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Program Files (x86)\Gyazo\GyStation.exe
    "C:\Program Files (x86)\Gyazo\GyStation.exe" /start_resident
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1464
  - - C:\Program Files (x86)\Gyazo\Gyazowin.exe
      "C:\Program Files (x86)\Gyazo\Gyazowin.exe" /ltt
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gyazo.com/e17b9b327326db730af3ecdbe35ed65c?token=05228c8d58b11130557fcbdeb6bd9971
        5⤵
        
        PID:4720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffece6446f8,0x7ffece644708,0x7ffece644718
        6⤵
        
        PID:2816
  - - C:\Program Files (x86)\Gyazo\GyazoReplay.exe
      "C:\Program Files (x86)\Gyazo\GyazoReplay.exe" /ltt
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1232
- - C:\Program Files (x86)\Gyazo\GyStation.exe
    "C:\Program Files (x86)\Gyazo\GyStation.exe" /balloon "Welcome to Gyazo!@Gyazo has been added to your taskbar. Click the icon then drag to capture or right click for settings."
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4444
- - C:\Program Files (x86)\Gyazo\GyStation.exe
    "C:\Program Files (x86)\Gyazo\GyStation.exe" /imagefilecontextmenu=on
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:320
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN GyazoUpdateTaskMachine /TR "\"C:\Program Files (x86)\Gyazo\GyazoUpdate.exe"\" /SC ONLOGON /F /RL HIGHEST /DELAY 0020:00
    3⤵
    - Creates scheduled task(s)
    PID:324
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN GyazoUpdateTaskMachineDaily /TR "\"C:\Program Files (x86)\Gyazo\GyazoUpdate.exe"\" /SC DAILY /F /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2372
- - C:\Program Files (x86)\Gyazo\Gyazowin.exe
    "C:\Program Files (x86)\Gyazo\Gyazowin.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Program Files (x86)\Gyazo\GyOnboarding.exe
      "C:\Program Files (x86)\Gyazo\GyOnboarding.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:4280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gyazo.com/be92333b389db03de610a898f7dc6c4f?token=906628d2ac7419757c76a74ce3e32b82
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xd4,0xd8,0x104,0x7ffece6446f8,0x7ffece644708,0x7ffece644718
        5⤵
        
        PID:3996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        5⤵
        
        PID:1500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        5⤵
        
        PID:3116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
        5⤵
        
        PID:2756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5216 /prefetch:8
        5⤵
        
        PID:2636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5952 /prefetch:8
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
        5⤵
        
        PID:2876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:4756
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff767ef5460,0x7ff767ef5470,0x7ff767ef5480
        6⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17859480572273019259,3435209747077166947,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
        5⤵
        
        PID:2324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Program Files (x86)\Gyazo\GyazoGIF.exe
"C:\Program Files (x86)\Gyazo\GyazoGIF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gyazo\GyStation.exe

Filesize
919KB

MD5
1c6fc537a6efcb2302d0c3c25cc4ef64

SHA1
dae12abf83553869163628cd925aace56bee389e

SHA256
51613b4ea9d29842f5ad5930ffd3274a283b3c5114dbd8ca9897ac87fe4751c5

SHA512
22e4d6ff3768f6b4fd5052920339213a2bf8bd1a2dda9e964a554dafea107e0ebeb8f0bb0e05aabd4f0f1048aabff66a02ef210723f86e5a75231c9dba500030

Download Submit
C:\Program Files (x86)\Gyazo\GyStation.exe

Filesize
919KB

MD5
1c6fc537a6efcb2302d0c3c25cc4ef64

SHA1
dae12abf83553869163628cd925aace56bee389e

SHA256
51613b4ea9d29842f5ad5930ffd3274a283b3c5114dbd8ca9897ac87fe4751c5

SHA512
22e4d6ff3768f6b4fd5052920339213a2bf8bd1a2dda9e964a554dafea107e0ebeb8f0bb0e05aabd4f0f1048aabff66a02ef210723f86e5a75231c9dba500030

Download Submit
C:\Program Files (x86)\Gyazo\GyStation.exe

Filesize
919KB

MD5
1c6fc537a6efcb2302d0c3c25cc4ef64

SHA1
dae12abf83553869163628cd925aace56bee389e

SHA256
51613b4ea9d29842f5ad5930ffd3274a283b3c5114dbd8ca9897ac87fe4751c5

SHA512
22e4d6ff3768f6b4fd5052920339213a2bf8bd1a2dda9e964a554dafea107e0ebeb8f0bb0e05aabd4f0f1048aabff66a02ef210723f86e5a75231c9dba500030

Download Submit
C:\Program Files (x86)\Gyazo\GyStation.exe

Filesize
919KB

MD5
1c6fc537a6efcb2302d0c3c25cc4ef64

SHA1
dae12abf83553869163628cd925aace56bee389e

SHA256
51613b4ea9d29842f5ad5930ffd3274a283b3c5114dbd8ca9897ac87fe4751c5

SHA512
22e4d6ff3768f6b4fd5052920339213a2bf8bd1a2dda9e964a554dafea107e0ebeb8f0bb0e05aabd4f0f1048aabff66a02ef210723f86e5a75231c9dba500030

Download Submit
C:\Program Files (x86)\Gyazo\GyStation.exe.config

Filesize
798B

MD5
d4a03ecf4055681bf2a35fd48831504b

SHA1
64163ff07037c69e9bd139853c0c649457cc4e37

SHA256
14b3a73e2037ef0291b64fd14118679e98c90d667177d36476c92b6a8d40a114

SHA512
906aedb29b143d845983a92e6b23a8fcef97c1e9b525d8093cbd96e8d90117e43397777d7eb65356f3ec982019f9b84d120bee7a2eb680c1e221691180dadb8a

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Base.dll

Filesize
30KB

MD5
da86f224b29fd901a9c1dd86de600839

SHA1
f9dd291900e5b8e24a7d8f00b3a832482c734211

SHA256
86bc89542eb730cf8d6ed63c0851be3d48a37117bc86624c4d64b818a5541bd1

SHA512
de826a98f128121f51edf5e5a9fa2455828937878435423fc0d1af02f122e59839ad57d0ed0f53c8b41fbc28586296436e94881661c39cd39cf348cfb228c6d5

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Data.dll

Filesize
23KB

MD5
3d5c0af3ed149ff8c774014cb2f99854

SHA1
5d4ea1c85bf19a0fcf46069ec8f9a383cb128e3a

SHA256
b192c3d32b759f529e78ce70a977d2f9051d1382eb6450ccef97c05f42baf5a9

SHA512
ebbab7e49057341aaf62afc70fa0f2478c03b57a327d398f6b0e746524a4b648815302ee036d9454713b9caa5a43c7e42106ca12cef3f4a40508a30ca5aca1ca

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Data.dll

Filesize
23KB

MD5
3d5c0af3ed149ff8c774014cb2f99854

SHA1
5d4ea1c85bf19a0fcf46069ec8f9a383cb128e3a

SHA256
b192c3d32b759f529e78ce70a977d2f9051d1382eb6450ccef97c05f42baf5a9

SHA512
ebbab7e49057341aaf62afc70fa0f2478c03b57a327d398f6b0e746524a4b648815302ee036d9454713b9caa5a43c7e42106ca12cef3f4a40508a30ca5aca1ca

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Data.dll

Filesize
23KB

MD5
3d5c0af3ed149ff8c774014cb2f99854

SHA1
5d4ea1c85bf19a0fcf46069ec8f9a383cb128e3a

SHA256
b192c3d32b759f529e78ce70a977d2f9051d1382eb6450ccef97c05f42baf5a9

SHA512
ebbab7e49057341aaf62afc70fa0f2478c03b57a327d398f6b0e746524a4b648815302ee036d9454713b9caa5a43c7e42106ca12cef3f4a40508a30ca5aca1ca

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Data.dll

Filesize
23KB

MD5
3d5c0af3ed149ff8c774014cb2f99854

SHA1
5d4ea1c85bf19a0fcf46069ec8f9a383cb128e3a

SHA256
b192c3d32b759f529e78ce70a977d2f9051d1382eb6450ccef97c05f42baf5a9

SHA512
ebbab7e49057341aaf62afc70fa0f2478c03b57a327d398f6b0e746524a4b648815302ee036d9454713b9caa5a43c7e42106ca12cef3f4a40508a30ca5aca1ca

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Error.dll

Filesize
13KB

MD5
43675f2666cac4cb2fab10ceff158632

SHA1
34d1ce180cd9e6bbea7f5903ef73fb8504304384

SHA256
e21e0fc8fcc814020934a2e9f81c6c788402d565d4b478cebbbec6001795bbdd

SHA512
5e3a3384f1cb988a1774d18b6e46e9b3b85cbfb774d15b8c8e3e0855e352ec146b08087d6dde6fb999f5d234cabfa1a42d7493b70e84659fe131aef3b29e79b8

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.Messaging.dll

Filesize
12KB

MD5
4c3bbc33a41678384258af4a0ec6ca27

SHA1
9f53c19c9b9a8d74415ccb70a32dd2e1c8d82b84

SHA256
e3247e15d6aa36449e032c798afd909d0cd552cb65daae39cb11b8d6be8f87ce

SHA512
5d3aac97e70067ff43b7ce6b614ba2c430fa7cc9fee40772f5fddd2f2b2ba83b5f6c5c532f39375092b84f2284b80699d4121f95664247b2ef6a07d0d152288b

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.ShortcutKey.dll

Filesize
23KB

MD5
5701bc3ef8ffc3c075cead330c496e25

SHA1
bfda3899302035dc072c06809ccf9b75150b2677

SHA256
7b6f66559007cbe316ff4c98f99e38d596ffc29b9769f46a8912b3e859f2ded7

SHA512
c13c3c77aecd39a1e46762f11005a1b04b506bf4efecd80e89808900a320130ccb978f5e2c603007705df5026169577b75704f47247c85689fd404578ab03242

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.UI.Common.dll

Filesize
67KB

MD5
db0c0c0c4e59b3b0ed33224aca63d15e

SHA1
940f8e7c7477b29251d4e15d35796a0cc94fef0a

SHA256
4d2aa5ba88556a1a52ed094d07655874c172d1a260399d54ac9334c660afbe18

SHA512
9272f642fd0ab3fc9c492ff1886b88933075bd4b80c90d98c06b5ee83a5908637ca067ca27447f6509cf3131040b8a78954b06e7ef59070bb187fa2343d86030

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.UI.Common.dll

Filesize
67KB

MD5
db0c0c0c4e59b3b0ed33224aca63d15e

SHA1
940f8e7c7477b29251d4e15d35796a0cc94fef0a

SHA256
4d2aa5ba88556a1a52ed094d07655874c172d1a260399d54ac9334c660afbe18

SHA512
9272f642fd0ab3fc9c492ff1886b88933075bd4b80c90d98c06b5ee83a5908637ca067ca27447f6509cf3131040b8a78954b06e7ef59070bb187fa2343d86030

Download Submit
C:\Program Files (x86)\Gyazo\Gyazo.UI.Common.dll

Filesize
67KB

MD5
db0c0c0c4e59b3b0ed33224aca63d15e

SHA1
940f8e7c7477b29251d4e15d35796a0cc94fef0a

SHA256
4d2aa5ba88556a1a52ed094d07655874c172d1a260399d54ac9334c660afbe18

SHA512
9272f642fd0ab3fc9c492ff1886b88933075bd4b80c90d98c06b5ee83a5908637ca067ca27447f6509cf3131040b8a78954b06e7ef59070bb187fa2343d86030

Download Submit
C:\Program Files (x86)\Gyazo\Gyazowin.exe

Filesize
783KB

MD5
01d45cf224f953c6b01e142a7dce2066

SHA1
4db03487e153a7f715de69728a24873ce000867b

SHA256
1ac01cef16e3c37f19e5c878b5747d3a9ba3612f4786f0cfced6e1b855c23829

SHA512
80241136940fc2098f86eedb793ed239e93c9014d28f812ab88755a3e8844ef183af0adf91ad955da3b03154294fd1d3471caaaecb01cdad4703fa78f4ea86ca

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\SimpleInjector.dll

Filesize
373KB

MD5
3fcaa15c7f7d6679d9aa5a3cab5b6782

SHA1
05663a319cda586b2553347ce13a0bdb1449e3c9

SHA256
a03e8f9dc40e597c943ed9e6cca5c8f95f90c68910ccae092372d2416c019fc1

SHA512
2cad0673a3115b879f730895c9880324f84a83e1b708bd558800b7a1355b0c99af98185a054dd65a1e03ddb0e1ebd0cca6a69568ddf912341eeb320a5d9858ee

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Core.dll

Filesize
111KB

MD5
20eafe4dfb007d4321e8bafc2f793a2e

SHA1
86458208b3e56629d9fe722c8f32354495c78d7a

SHA256
fc483754462d2219e186a2c174e1ced3a5f30b648f04a3b0a7d1421e63569af2

SHA512
371c8fb7d467c86a4415926c7c3dc80ad6453e4f796acc97351665a2628515f3ab8b6b537852bde467e0111104a2db17f667047531c1eb78bb99bcb19e365ba6

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Program Files (x86)\Gyazo\System.Reactive.Interfaces.dll

Filesize
22KB

MD5
b80e8c6c63a953fc1258d28996b0ca8f

SHA1
161c6845c2663b574d226fdf9bde0f256d72ddd6

SHA256
ed6131702df41a1c2c4ab1027614bc028c61d54c3261d7090d43838a79bd9266

SHA512
253834fbd6c121674b2af71cb591e210563d18e29b8511fd854b25eec52d5137de66d03bbfd0b79ae7f4a2ffb8398ce7f68d99090f01f9a863e53edeec4f4f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HEMMO.tmp\Gyazo-4.5.1.tmp

Filesize
1.2MB

MD5
5981811be5566aec0dbebd0017df73fc

SHA1
7e780a9b91fc636a627c18158ff6fa861f984a3f

SHA256
e28752d4062148f671ee411fb8d6c80e352875bd12998682b6ecc54ccaa41c6a

SHA512
83f52b80302f45a4f2f4f8f4c3b71cc4d0ad0bb4d5128742464ecd0f9bba363b199c7b1bc943e6e32bb0480e707b0e479f4af848e7926b2b4d20551956c1c47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HEMMO.tmp\Gyazo-4.5.1.tmp

Filesize
1.2MB

MD5
5981811be5566aec0dbebd0017df73fc

SHA1
7e780a9b91fc636a627c18158ff6fa861f984a3f

SHA256
e28752d4062148f671ee411fb8d6c80e352875bd12998682b6ecc54ccaa41c6a

SHA512
83f52b80302f45a4f2f4f8f4c3b71cc4d0ad0bb4d5128742464ecd0f9bba363b199c7b1bc943e6e32bb0480e707b0e479f4af848e7926b2b4d20551956c1c47f

Download Submit
memory/320-218-0x00000000073F0000-0x00000000074A0000-memory.dmp

Filesize
704KB

Download
memory/320-168-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/320-154-0x0000000004E70000-0x0000000004ED4000-memory.dmp

Filesize
400KB

Download
memory/1232-274-0x0000000000F40000-0x00000000010BC000-memory.dmp

Filesize
1.5MB

Download
memory/1464-254-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/1464-222-0x0000000007F70000-0x0000000007F8E000-memory.dmp

Filesize
120KB

Download
memory/1464-228-0x0000000008220000-0x000000000822C000-memory.dmp

Filesize
48KB

Download
memory/1464-227-0x0000000008200000-0x0000000008208000-memory.dmp

Filesize
32KB

Download
memory/1464-224-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/1464-207-0x0000000007D70000-0x0000000007D7C000-memory.dmp

Filesize
48KB

Download
memory/1464-177-0x0000000005730000-0x000000000574E000-memory.dmp

Filesize
120KB

Download
memory/1464-259-0x000000000C340000-0x000000000C362000-memory.dmp

Filesize
136KB

Download
memory/1464-191-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/1464-215-0x0000000007DA0000-0x0000000007DB8000-memory.dmp

Filesize
96KB

Download
memory/3000-272-0x000000000CBA0000-0x000000000CBA8000-memory.dmp

Filesize
32KB

Download
memory/3000-269-0x0000000000120000-0x00000000002DC000-memory.dmp

Filesize
1.7MB

Download
memory/3000-271-0x0000000005EA0000-0x0000000005EA8000-memory.dmp

Filesize
32KB

Download
memory/3000-270-0x00000000057B0000-0x00000000057B8000-memory.dmp

Filesize
32KB

Download
memory/4280-239-0x000000001A400000-0x000000001ABA6000-memory.dmp

Filesize
7.6MB

Download
memory/4280-233-0x0000000005F60000-0x0000000005F68000-memory.dmp

Filesize
32KB

Download
memory/4280-235-0x0000000009360000-0x0000000009398000-memory.dmp

Filesize
224KB

Download
memory/4280-236-0x0000000009340000-0x000000000934E000-memory.dmp

Filesize
56KB

Download
memory/4280-238-0x00000000125A0000-0x00000000125B0000-memory.dmp

Filesize
64KB

Download
memory/4280-237-0x0000000010700000-0x0000000010710000-memory.dmp

Filesize
64KB

Download
memory/4280-232-0x0000000000C40000-0x0000000000CD8000-memory.dmp

Filesize
608KB

Download
memory/4444-183-0x0000000005C40000-0x0000000005C48000-memory.dmp

Filesize
32KB

Download
memory/4444-160-0x0000000003130000-0x000000000313E000-memory.dmp

Filesize
56KB

Download
memory/4444-217-0x0000000007D60000-0x0000000007E10000-memory.dmp

Filesize
704KB

Download
memory/4444-190-0x0000000006200000-0x00000000067A4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-223-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

Filesize
40KB

Download
memory/4444-195-0x0000000005E70000-0x0000000005E7C000-memory.dmp

Filesize
48KB

Download
memory/4444-221-0x0000000007CD0000-0x0000000007CE8000-memory.dmp

Filesize
96KB

Download
memory/4444-220-0x0000000007CB0000-0x0000000007CC2000-memory.dmp

Filesize
72KB

Download
memory/4444-225-0x0000000007FC0000-0x0000000007FDE000-memory.dmp

Filesize
120KB

Download
memory/4444-148-0x0000000000DF0000-0x0000000000ED8000-memory.dmp

Filesize
928KB

Download
memory/4444-200-0x0000000005E80000-0x0000000005E8A000-memory.dmp

Filesize
40KB

Download
memory/4444-226-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/4444-229-0x0000000008100000-0x0000000008108000-memory.dmp

Filesize
32KB

Download
memory/4892-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4892-219-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4892-234-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4892-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download