Analysis Overview
SHA256
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
Threat Level: Known bad
The file 7268e57a354c49482b14d239632cfd73.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine Payload
Vidar
Tofsee
ElysiumStealer
Checks for common network interception software
Blocklisted process makes network request
VMProtect packed file
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Creates new service(s)
Modifies Windows Firewall
Reads user/profile data of web browsers
Loads dropped DLL
Reads local data of messenger clients
Checks computer location settings
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Accesses 2FA software files, possible credential harvesting
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Script User-Agent
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Runs ping.exe
Modifies Internet Explorer settings
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-06 22:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-22 19:03
Reported
2021-05-22 19:06
Platform
win7v20210408
Max time kernel
101s
Max time network
127s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe
"C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"
C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp" /SL5="$9015C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 8.8.8.8:53 | proxycheck.io | udp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
Files
memory/1612-60-0x0000000075551000-0x0000000075553000-memory.dmp
memory/1612-61-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1292-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-LDVRV.tmp\7268e57a354c49482b14d239632cfd73.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
\Users\Admin\AppData\Local\Temp\is-O174M.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-O174M.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-O174M.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1292-69-0x0000000001F20000-0x0000000001F5C000-memory.dmp
memory/1292-71-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1292-73-0x0000000001F70000-0x0000000001F71000-memory.dmp
memory/1292-74-0x0000000001F80000-0x0000000001F81000-memory.dmp
memory/1292-75-0x0000000003770000-0x0000000003771000-memory.dmp
memory/1292-76-0x0000000003790000-0x0000000003791000-memory.dmp
memory/1292-72-0x0000000001F60000-0x0000000001F61000-memory.dmp
memory/1292-77-0x00000000037A0000-0x00000000037A1000-memory.dmp
memory/1292-78-0x00000000038F0000-0x00000000038F1000-memory.dmp
memory/1292-79-0x0000000003900000-0x0000000003901000-memory.dmp
memory/1292-80-0x0000000003910000-0x0000000003911000-memory.dmp
memory/1292-82-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-83-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-84-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-85-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-86-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-87-0x0000000003990000-0x0000000003991000-memory.dmp
memory/1292-81-0x0000000003930000-0x0000000003987000-memory.dmp
memory/1292-89-0x00000000039B0000-0x00000000039B1000-memory.dmp
memory/1292-88-0x00000000039A0000-0x00000000039A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-22 19:03
Reported
2021-05-22 19:06
Platform
win10v20210410
Max time kernel
52s
Max time network
152s
Command Line
Signatures
ElysiumStealer
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Tofsee
Vidar
Checks for common network interception software
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\45-26094-cd8-b2b92-ed986fc38f6ff\Cifuzhashamo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\johpwgqz.fsf\google-game.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ehih0oyu.3j0\google-game.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe | N/A |
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" | C:\Users\Admin\AppData\Local\Temp\xkk3sodf.wfp\001.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Daedezhyshawi.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Picture Lab\\Cuxaxaquso.exe\"" | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #6 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #1 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedUpdater | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #2 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #3 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #4 | c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\AdvancedWindowsManager #5 | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3896 set thread context of 4528 | N/A | \??\c:\windows\system32\svchost.exe | C:\Windows\system32\svchost.exe |
| PID 4776 set thread context of 4748 | N/A | C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-9R82I.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe.config | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\AForge.Math.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\avcodec-53.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe | C:\Users\Admin\AppData\Local\Temp\is-H8HA0.tmp\Setup.exe | N/A |
| File created | C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
| File created | C:\Program Files (x86)\recording\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\SourceLibrary.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-FG8NV.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe | C:\Users\Admin\AppData\Local\Temp\is-47JEJ.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\AForge.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Daedezhyshawi.exe | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| File created | C:\Program Files (x86)\recording\is-729E8.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe.config | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
| File created | C:\Program Files (x86)\recording\is-43BP1.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\Cuxaxaquso.exe | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
| File created | C:\Program Files (x86)\recording\is-0OQG4.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\swresample-0.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\unins000.exe | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-E23RC.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\SourceGrid2.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-BIR5N.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-3OSAG.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-K87HF.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-8FEC4.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\Pictures Lab.exe | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Common Files\Daedezhyshawi.exe.config | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| File opened for modification | C:\Program Files (x86)\recording\AForge.Video.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-FND6K.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\avutil-51.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-8GRL1.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-IBMH1.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-J0448.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Picture Lab\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-C3U7N.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-TQVUF.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-PDD08.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-NIIHG.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\avdevice-53.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\recording\is-CJ3BB.tmp | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File created | C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Picture Lab\is-TVM7Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\avformat-53.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\postproc-52.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Picture Lab\DockingToolbar.dll | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\recording\avfilter-2.dll | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe | C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSICA13.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICD73.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID0D1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID2BB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f74ba0e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD0C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC146.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC2AF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID21C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID24C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBF30.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBDA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f74ba0e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC08A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID1DD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICAFF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICCB6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICDA2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID28B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBFDD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC31D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID18D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f74ba11.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID3F6.tmp | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\sodhl50s.aeo\702564a0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\3708586.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\browser_broker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "4816" | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F} | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000a4b1913fd6198d09266de1ab09cf4025ac957d34ca7d667f6311be349972b012edfa5dfefd5d77ecd440b5090915a2a005608df230ab988e0f183916b62c | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0092e5bd3d4fd701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M} | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 24d5ebbe3d4fd701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4c94b8c23d4fd701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000034c472dbb868a4c8d727e7a04dbd97eb31dd2f29fe1b950e8f1c0120cade0ddabb7921bc0e338cd737b41607438ecc2b4fdfc4051849c326227 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701 | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S} | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\6046326.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3708586.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rUNdlL32.eXe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9MIQ1.tmp\7268e57a354c49482b14d239632cfd73.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-72E2E.tmp\Versium.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SFEKI.tmp\Setup3310.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NQOJJ.tmp\Setup3310.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe
"C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
C:\Users\Admin\AppData\Local\Temp\is-9MIQ1.tmp\7268e57a354c49482b14d239632cfd73.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9MIQ1.tmp\7268e57a354c49482b14d239632cfd73.tmp" /SL5="$5002E,138429,56832,C:\Users\Admin\AppData\Local\Temp\7268e57a354c49482b14d239632cfd73.exe"
C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe" /Verysilent
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
"C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\is-BSTBJ.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BSTBJ.tmp\LabPicV3.tmp" /SL5="$20252,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
C:\Users\Admin\AppData\Local\Temp\is-OO1UR.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OO1UR.tmp\lylal220.tmp" /SL5="$201F8,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
C:\Users\Admin\AppData\Local\Temp\is-72E2E.tmp\Versium.tmp
"C:\Users\Admin\AppData\Local\Temp\is-72E2E.tmp\Versium.tmp" /SL5="$30228,138429,56832,C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe" /Verysilent
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe
"C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe" /S /UID=lylal220
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe
"C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe" /S /UID=lab214
C:\Users\Admin\AppData\Roaming\6046326.exe
"C:\Users\Admin\AppData\Roaming\6046326.exe"
C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe" /Verysilent
C:\Users\Admin\AppData\Roaming\5880758.exe
"C:\Users\Admin\AppData\Roaming\5880758.exe"
C:\Users\Admin\AppData\Roaming\3708586.exe
"C:\Users\Admin\AppData\Roaming\3708586.exe"
C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe
"C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp" /SL5="$40260,575243,216576,C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe
"C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe"
C:\Users\Admin\AppData\Local\Temp\12-0258c-52f-c96a4-1015417e2eed2\ZHowoqaeqami.exe
"C:\Users\Admin\AppData\Local\Temp\12-0258c-52f-c96a4-1015417e2eed2\ZHowoqaeqami.exe"
C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe
"C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp" /SL5="$2029C,6139911,56832,C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\45-26094-cd8-b2b92-ed986fc38f6ff\Cifuzhashamo.exe
"C:\Users\Admin\AppData\Local\Temp\45-26094-cd8-b2b92-ed986fc38f6ff\Cifuzhashamo.exe"
C:\Users\Admin\AppData\Local\Temp\91-ed0b4-1cc-19f97-1f61aaadf108f\Dawubyqugi.exe
"C:\Users\Admin\AppData\Local\Temp\91-ed0b4-1cc-19f97-1f61aaadf108f\Dawubyqugi.exe"
C:\Program Files (x86)\recording\i-record.exe
"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xkk3sodf.wfp\001.exe & exit
C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g5ygt4ad.nxx\GcleanerEU.exe /eufive & exit
C:\Users\Admin\AppData\Local\Temp\xkk3sodf.wfp\001.exe
C:\Users\Admin\AppData\Local\Temp\xkk3sodf.wfp\001.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kxto2v4d.c2c\001.exe & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im RunWW.exe /f
C:\Users\Admin\AppData\Local\Temp\kxto2v4d.c2c\001.exe
C:\Users\Admin\AppData\Local\Temp\kxto2v4d.c2c\001.exe
C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe
C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe /qn CAMPAIGN="654"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v3vuzdmf.0tm\GcleanerEU.exe /eufive & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\flpumjdl.b4c\hbggg.exe & exit
C:\Users\Admin\AppData\Local\Temp\flpumjdl.b4c\hbggg.exe
C:\Users\Admin\AppData\Local\Temp\flpumjdl.b4c\hbggg.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qadtn1o2.nyr\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\qadtn1o2.nyr\installer.exe
C:\Users\Admin\AppData\Local\Temp\qadtn1o2.nyr\installer.exe /qn CAMPAIGN="654"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sabwnyzn.gy0\hbggg.exe & exit
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\Temp\sabwnyzn.gy0\hbggg.exe
C:\Users\Admin\AppData\Local\Temp\sabwnyzn.gy0\hbggg.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pa0bimfx.qfg\Setup3310.exe /Verysilent /subid=623 & exit
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1D8C71298FD2A61159D57769F05013C C
C:\Users\Admin\AppData\Local\Temp\pa0bimfx.qfg\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\pa0bimfx.qfg\Setup3310.exe /Verysilent /subid=623
C:\Users\Admin\AppData\Local\Temp\is-SFEKI.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SFEKI.tmp\Setup3310.tmp" /SL5="$103E2,138429,56832,C:\Users\Admin\AppData\Local\Temp\pa0bimfx.qfg\Setup3310.exe" /Verysilent /subid=623
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\krpdi1bx.led\Setup3310.exe /Verysilent /subid=623 & exit
C:\Users\Admin\AppData\Local\Temp\krpdi1bx.led\Setup3310.exe
C:\Users\Admin\AppData\Local\Temp\krpdi1bx.led\Setup3310.exe /Verysilent /subid=623
C:\Users\Admin\AppData\Local\Temp\is-NQOJJ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NQOJJ.tmp\Setup3310.tmp" /SL5="$10482,138429,56832,C:\Users\Admin\AppData\Local\Temp\krpdi1bx.led\Setup3310.exe" /Verysilent /subid=623
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\johpwgqz.fsf\google-game.exe & exit
C:\Users\Admin\AppData\Local\Temp\johpwgqz.fsf\google-game.exe
C:\Users\Admin\AppData\Local\Temp\johpwgqz.fsf\google-game.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ehih0oyu.3j0\google-game.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vn4lmtcc.0v5\setup.exe & exit
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-47JEJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-47JEJ.tmp\Setup.exe" /Verysilent
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kvidnyr3.tae\setup.exe & exit
C:\Users\Admin\AppData\Local\Temp\vn4lmtcc.0v5\setup.exe
C:\Users\Admin\AppData\Local\Temp\vn4lmtcc.0v5\setup.exe
C:\Users\Admin\AppData\Local\Temp\ehih0oyu.3j0\google-game.exe
C:\Users\Admin\AppData\Local\Temp\ehih0oyu.3j0\google-game.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
C:\Users\Admin\AppData\Local\Temp\is-H8HA0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-H8HA0.tmp\Setup.exe" /Verysilent
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k3iaodq0.dd1\GcleanerWW.exe /mixone & exit
C:\Users\Admin\AppData\Local\Temp\kvidnyr3.tae\setup.exe
C:\Users\Admin\AppData\Local\Temp\kvidnyr3.tae\setup.exe
C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",getname
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o5l0gk0v.2nk\005.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0qd44pb3.0b4\GcleanerWW.exe /mixone & exit
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uanp2d1f.rtp\005.exe & exit
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1eaprzja.5mr\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621451165 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\o5l0gk0v.2nk\005.exe
C:\Users\Admin\AppData\Local\Temp\o5l0gk0v.2nk\005.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\vn4lmtcc.0v5\setup.exe"
C:\Users\Admin\AppData\Local\Temp\uanp2d1f.rtp\005.exe
C:\Users\Admin\AppData\Local\Temp\uanp2d1f.rtp\005.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\kvidnyr3.tae\setup.exe"
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F803331F3D18859C7BA50D11628D3305
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1C77C404A771B8220E987876CB297A1 E Global\MSI0000
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qk153inn.kn0\toolspab1.exe & exit
C:\Users\Admin\AppData\Local\Temp\qk153inn.kn0\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qk153inn.kn0\toolspab1.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4d32anjd.ofc\toolspab1.exe & exit
C:\Users\Admin\AppData\Local\Temp\4d32anjd.ofc\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\4d32anjd.ofc\toolspab1.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3bicmo5x.0rz\702564a0.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sodhl50s.aeo\702564a0.exe & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\py5kkaip.q02\installer.exe /qn CAMPAIGN="654" & exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gh5yzaey.gts\installer.exe /qn CAMPAIGN="654" & exit
C:\Users\Admin\AppData\Local\Temp\3bicmo5x.0rz\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\3bicmo5x.0rz\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\sodhl50s.aeo\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\sodhl50s.aeo\702564a0.exe
C:\Users\Admin\AppData\Local\Temp\py5kkaip.q02\installer.exe
C:\Users\Admin\AppData\Local\Temp\py5kkaip.q02\installer.exe /qn CAMPAIGN="654"
C:\Users\Admin\AppData\Local\Temp\gh5yzaey.gts\installer.exe
C:\Users\Admin\AppData\Local\Temp\gh5yzaey.gts\installer.exe /qn CAMPAIGN="654"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 22E24BAE8C58D2ED93E0480B95A332A4 C
C:\Users\Admin\AppData\Local\Temp\qk153inn.kn0\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\qk153inn.kn0\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\4d32anjd.ofc\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\4d32anjd.ofc\toolspab1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6468 -s 484
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\py5kkaip.q02\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\py5kkaip.q02\ EXE_CMD_LINE="/forcecleanup /wintime 1621451165 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6AEEA1111565F2831E1024DA6797C450
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2548F462F92DB8E924CF2A265CA48ADB E Global\MSI0000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2084
C:\Users\Admin\AppData\Local\Temp\F425.exe
C:\Users\Admin\AppData\Local\Temp\F425.exe
C:\Users\Admin\AppData\Local\Temp\F7FE.exe
C:\Users\Admin\AppData\Local\Temp\F7FE.exe
C:\Users\Admin\AppData\Local\Temp\FB0C.exe
C:\Users\Admin\AppData\Local\Temp\FB0C.exe
C:\Users\Admin\AppData\Local\Temp\Perennials.exe
"C:\Users\Admin\AppData\Local\Temp\Perennials.exe"
C:\Users\Admin\AppData\Local\Temp\8C.exe
C:\Users\Admin\AppData\Local\Temp\8C.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nuoehtgk\
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ejtoiurt.exe" C:\Windows\SysWOW64\nuoehtgk\
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create nuoehtgk binPath= "C:\Windows\SysWOW64\nuoehtgk\ejtoiurt.exe /d\"C:\Users\Admin\AppData\Local\Temp\F425.exe\"" type= own start= auto DisplayName= "wifi support"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description nuoehtgk "wifi internet conection"
C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start nuoehtgk
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\nuoehtgk\ejtoiurt.exe
C:\Windows\SysWOW64\nuoehtgk\ejtoiurt.exe /d"C:\Users\Admin\AppData\Local\Temp\F425.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Users\Admin\AppData\Local\Temp\49BB.exe
C:\Users\Admin\AppData\Local\Temp\49BB.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | proxycheck.io | udp |
| N/A | 172.67.75.219:80 | proxycheck.io | tcp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 52.219.62.30:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 52.219.62.30:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | script.googleusercontent.com | udp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 8.8.8.8:53 | script.google.com | udp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | global-sc-ltd.com | udp |
| N/A | 199.188.201.83:80 | global-sc-ltd.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 199.188.201.83:80 | global-sc-ltd.com | tcp |
| N/A | 8.8.8.8:53 | ipqualityscore.com | udp |
| N/A | 104.26.3.60:443 | ipqualityscore.com | tcp |
| N/A | 8.8.8.8:53 | b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com | udp |
| N/A | 52.219.80.112:80 | b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com | tcp |
| N/A | 52.219.80.112:80 | b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | news-systems.xyz | udp |
| N/A | 104.21.33.129:443 | news-systems.xyz | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 8.8.8.8:53 | email.yg9.me | udp |
| N/A | 8.8.8.8:53 | email.yg9.me | udp |
| N/A | 198.13.62.186:53 | email.yg9.me | udp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 31.13.83.36:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.8.8.8:53 | jk.magicnow24.ru | udp |
| N/A | 217.107.34.191:443 | jk.magicnow24.ru | tcp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | iphonemail.xyz | udp |
| N/A | 104.21.40.195:443 | iphonemail.xyz | tcp |
| N/A | 8.8.8.8:53 | gameshome.xyz | udp |
| N/A | 172.67.163.99:443 | gameshome.xyz | tcp |
| N/A | 8.8.8.8:53 | global-sc-ltd.com | udp |
| N/A | 199.188.201.83:80 | global-sc-ltd.com | tcp |
| N/A | 8.8.8.8:53 | global-sc-ltd.com | udp |
| N/A | 199.188.201.83:80 | global-sc-ltd.com | tcp |
| N/A | 8.8.8.8:53 | script.google.com | udp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | limesfile.com | udp |
| N/A | 198.54.126.101:80 | limesfile.com | tcp |
| N/A | 8.8.8.8:53 | api.faceit.com | udp |
| N/A | 104.17.63.50:443 | api.faceit.com | tcp |
| N/A | 8.8.8.8:53 | reportyuwt4sbackv97qarke3.com | udp |
| N/A | 162.0.220.187:80 | reportyuwt4sbackv97qarke3.com | tcp |
| N/A | 172.217.17.36:80 | www.google.com | tcp |
| N/A | 8.8.8.8:53 | connectini.net | udp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 198.54.126.101:80 | limesfile.com | tcp |
| N/A | 8.8.8.8:53 | google.com | udp |
| N/A | 8.8.8.8:53 | script.googleusercontent.com | udp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 162.0.220.187:80 | reportyuwt4sbackv97qarke3.com | tcp |
| N/A | 87.251.71.193:80 | 87.251.71.193 | tcp |
| N/A | 195.201.94.135:80 | 195.201.94.135 | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | api.ip.sb | udp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 162.0.220.187:80 | reportyuwt4sbackv97qarke3.com | tcp |
| N/A | 172.217.17.36:80 | www.google.com | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 162.0.210.44:443 | connectini.net | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | uyg5wye.2ihsfa.com | udp |
| N/A | 88.218.92.148:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | iplogger.org | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | gclean.biz | udp |
| N/A | 8.8.8.8:53 | iw.gamegame.info | udp |
| N/A | 172.67.200.215:80 | iw.gamegame.info | tcp |
| N/A | 8.209.75.180:80 | gclean.biz | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 162.0.220.187:80 | reportyuwt4sbackv97qarke3.com | tcp |
| N/A | 8.8.8.8:53 | ol.gamegame.info | udp |
| N/A | 104.21.21.221:80 | ol.gamegame.info | tcp |
| N/A | 8.8.8.8:53 | d.jumpstreetboys.com | udp |
| N/A | 104.21.62.88:443 | d.jumpstreetboys.com | tcp |
| N/A | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | sta.skjgggg.com | udp |
| N/A | 172.67.162.22:80 | sta.skjgggg.com | tcp |
| N/A | 8.8.8.8:53 | www.profitabletrustednetwork.com | udp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 8.209.75.180:80 | gclean.biz | tcp |
| N/A | 104.21.62.88:443 | d.jumpstreetboys.com | tcp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 52.219.156.46:443 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 172.67.162.22:80 | sta.skjgggg.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 52.219.156.46:443 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | jom.diregame.live | udp |
| N/A | 172.67.158.82:443 | jom.diregame.live | tcp |
| N/A | 8.8.8.8:53 | d.dirdgame.live | udp |
| N/A | 104.21.59.252:443 | d.dirdgame.live | tcp |
| N/A | 8.8.8.8:53 | www.facebook.com | udp |
| N/A | 31.13.83.36:443 | www.facebook.com | tcp |
| N/A | 8.8.8.8:53 | ipinfo.io | udp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 172.67.158.82:443 | jom.diregame.live | tcp |
| N/A | 8.8.8.8:53 | proxycheck.io | udp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 104.21.59.252:443 | d.dirdgame.live | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 8.8.8.8:53 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | udp |
| N/A | 52.219.156.10:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 34.117.59.81:80 | ipinfo.io | tcp |
| N/A | 31.13.83.36:443 | www.facebook.com | tcp |
| N/A | 34.117.59.81:443 | ipinfo.io | tcp |
| N/A | 52.219.156.10:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 104.26.8.187:80 | proxycheck.io | tcp |
| N/A | 52.219.156.10:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | fb.xiaomishop.me | udp |
| N/A | 104.18.9.171:443 | fb.xiaomishop.me | tcp |
| N/A | 52.219.156.10:80 | 3b39e40c-13d6-4a1f-a716-d0986744cc54.s3.ap-south-1.amazonaws.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 104.18.9.171:443 | fb.xiaomishop.me | tcp |
| N/A | 8.8.8.8:53 | venetrigni.com | udp |
| N/A | 54.173.154.159:443 | venetrigni.com | tcp |
| N/A | 54.173.154.159:443 | venetrigni.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 54.173.154.159:443 | venetrigni.com | tcp |
| N/A | 54.173.154.159:443 | venetrigni.com | tcp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | go.rolltrafficroll.com | udp |
| N/A | 212.32.252.129:443 | go.rolltrafficroll.com | tcp |
| N/A | 212.32.252.129:443 | go.rolltrafficroll.com | tcp |
| N/A | 8.209.75.180:80 | gclean.biz | tcp |
| N/A | 8.209.75.180:80 | gclean.biz | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | goodmooddevelopment.com | udp |
| N/A | 89.221.213.3:80 | goodmooddevelopment.com | tcp |
| N/A | 8.8.8.8:53 | www.wws23dfwe.com | udp |
| N/A | 45.76.53.14:80 | www.wws23dfwe.com | tcp |
| N/A | 89.221.213.3:80 | goodmooddevelopment.com | tcp |
| N/A | 45.76.53.14:80 | www.wws23dfwe.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | awesomenewspush.com | udp |
| N/A | 34.231.89.205:443 | awesomenewspush.com | tcp |
| N/A | 34.231.89.205:443 | awesomenewspush.com | tcp |
| N/A | 88.218.92.148:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 88.218.92.148:80 | uyg5wye.2ihsfa.com | tcp |
| N/A | 88.99.66.31:443 | iplogger.org | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 142.250.179.206:443 | script.google.com | tcp |
| N/A | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 192.243.59.12:443 | www.profitabletrustednetwork.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 142.250.179.161:443 | script.googleusercontent.com | tcp |
| N/A | 8.8.8.8:53 | time4news.net | udp |
| N/A | 34.236.176.84:443 | time4news.net | tcp |
| N/A | 34.236.176.84:443 | time4news.net | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | x1.c.lencr.org | udp |
| N/A | 23.0.212.147:80 | x1.c.lencr.org | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 34.236.176.84:443 | time4news.net | tcp |
| N/A | 34.236.176.84:443 | time4news.net | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 23.0.212.147:80 | x1.c.lencr.org | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 89.221.213.3:80 | goodmooddevelopment.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 89.221.213.3:80 | goodmooddevelopment.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | musicislife.xyz | udp |
| N/A | 172.67.149.133:443 | musicislife.xyz | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | privacytools.xyz | udp |
| N/A | 45.139.187.152:80 | privacytools.xyz | tcp |
| N/A | 45.139.187.152:80 | privacytools.xyz | tcp |
| N/A | 8.8.8.8:53 | 1privacytoolsforyou.site | udp |
| N/A | 8.8.8.8:53 | porosdigital.com | udp |
| N/A | 47.91.86.73:80 | porosdigital.com | tcp |
| N/A | 47.91.86.73:80 | porosdigital.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 52.23.109.145:443 | collect.installeranalytics.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder1002002131-service1002.space | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder1002002231-service1002.space | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder3100231-service1002.space | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder1002002431-service1002.space | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder1002002531-service1002.space | udp |
| N/A | 8.8.8.8:53 | 999080321newfolder33417-012425999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321test125831-service10020125999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321test136831-service10020125999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321test147831-service10020125999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321test146831-service10020125999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321test134831-service10020125999080321.space | udp |
| N/A | 8.8.8.8:53 | 999080321est213531-service1002012425999080321.ru | udp |
| N/A | 8.8.8.8:53 | 999080321yes1t3481-service10020125999080321.ru | udp |
| N/A | 8.8.8.8:53 | 999080321test13561-service10020125999080321.su | udp |
| N/A | 8.8.8.8:53 | 999080321test14781-service10020125999080321.info | udp |
| N/A | 8.8.8.8:53 | 999080321test15671-service10020125999080321.tech | udp |
| N/A | 8.8.8.8:53 | 999080321test12671-service10020125999080321.online | udp |
| N/A | 8.8.8.8:53 | 999080321utest1341-service10020125999080321.ru | udp |
| N/A | 8.8.8.8:53 | 999080321uest71-service100201dom25999080321.ru | udp |
| N/A | 8.8.8.8:53 | 999080321test61-service10020125999080321.website | udp |
| N/A | 8.8.8.8:53 | 999080321test51-service10020125999080321.xyz | udp |
| N/A | 45.139.187.152:80 | 999080321test51-service10020125999080321.xyz | tcp |
| N/A | 8.8.8.8:53 | ilha-akavirtsev.myjino.ru | udp |
| N/A | 217.107.34.191:443 | ilha-akavirtsev.myjino.ru | tcp |
| N/A | 8.8.8.8:53 | al-commandoz.com | udp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 95.213.144.186:80 | 95.213.144.186 | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | maper.info | udp |
| N/A | 88.99.66.31:443 | maper.info | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 45.139.187.152:80 | 999080321test51-service10020125999080321.xyz | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | xisolenoy.xyz | udp |
| N/A | 185.183.98.2:80 | xisolenoy.xyz | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 104.26.13.31:443 | api.ip.sb | tcp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 104.215.148.63:80 | microsoft.com | tcp |
| N/A | 8.8.8.8:53 | microsoft.com | udp |
| N/A | 8.8.8.8:53 | microsoft-com.mail.protection.outlook.com | udp |
| N/A | 104.47.54.36:25 | microsoft-com.mail.protection.outlook.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 43.231.4.7:443 | tcp | |
| N/A | 162.55.53.219:80 | 162.55.53.219 | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 37.34.176.37:80 | al-commandoz.com | tcp |
| N/A | 8.8.8.8:53 | htagzdownload.pw | udp |
Files
memory/3976-114-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9MIQ1.tmp\7268e57a354c49482b14d239632cfd73.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1500-115-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1500-119-0x0000000003940000-0x000000000397C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1500-121-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1500-123-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1500-122-0x0000000005000000-0x0000000005001000-memory.dmp
memory/1500-125-0x0000000005030000-0x0000000005031000-memory.dmp
memory/1500-124-0x0000000005020000-0x0000000005021000-memory.dmp
memory/1500-127-0x0000000005050000-0x0000000005051000-memory.dmp
memory/1500-126-0x0000000005040000-0x0000000005041000-memory.dmp
memory/1500-129-0x0000000005070000-0x0000000005071000-memory.dmp
memory/1500-128-0x0000000005060000-0x0000000005061000-memory.dmp
memory/1500-131-0x0000000005090000-0x0000000005091000-memory.dmp
memory/1500-130-0x0000000005080000-0x0000000005081000-memory.dmp
memory/1500-133-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/1500-132-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/1500-135-0x00000000050D0000-0x00000000050D1000-memory.dmp
memory/1500-134-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/1500-136-0x00000000050E0000-0x00000000050E1000-memory.dmp
memory/1500-137-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/1500-138-0x0000000005100000-0x0000000005101000-memory.dmp
memory/1500-139-0x0000000005110000-0x0000000005111000-memory.dmp
memory/3428-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe
| MD5 | d69ad8d2f432e57d4f5ecf5d7e7f9300 |
| SHA1 | 4db420d6dfc64506e6e8b71ff63e4b240f2a562c |
| SHA256 | 21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15 |
| SHA512 | d21339419c6a85cb0454e3821d9cf8526b8913007fc500e026dfb6ba28cca96057695f2fa8d283f2b037b467a4229fe9f2b2dcd7cd33c9b0e37925a46e2b3f34 |
C:\Users\Admin\AppData\Local\Temp\is-KU7KT.tmp\Setup.exe
| MD5 | d69ad8d2f432e57d4f5ecf5d7e7f9300 |
| SHA1 | 4db420d6dfc64506e6e8b71ff63e4b240f2a562c |
| SHA256 | 21415b4bd92f908e375ef73e62b8539724488e9372c6df980d91c01e47ebfd15 |
| SHA512 | d21339419c6a85cb0454e3821d9cf8526b8913007fc500e026dfb6ba28cca96057695f2fa8d283f2b037b467a4229fe9f2b2dcd7cd33c9b0e37925a46e2b3f34 |
memory/1908-143-0x0000000000000000-mapping.dmp
memory/2156-144-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
| MD5 | 6bd341bfca324b52dfa4f696c7978025 |
| SHA1 | 09029b634ff31a7e2cc903f2e1580bc6f554558d |
| SHA256 | faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6 |
| SHA512 | d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216 |
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
| MD5 | 1035dfc35230ab6c46a141d8c649e920 |
| SHA1 | 5eae1278d9f39b851f0629b5f96fe59b0aeb6c15 |
| SHA256 | 60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080 |
| SHA512 | 0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2 |
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
| MD5 | 96a80d0e7aafd552c6857ef310d64c7d |
| SHA1 | b4f308a47c85a76e22b01cc6291c70a4e459ebe2 |
| SHA256 | 1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db |
| SHA512 | f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4 |
memory/1084-159-0x0000000000740000-0x0000000000741000-memory.dmp
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
| MD5 | 1cb9c1b506a1a0e472ba4ed650b84f68 |
| SHA1 | 967034fcd28bcf9650b4fb55cc3eee487d56bd7b |
| SHA256 | c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4 |
| SHA512 | 5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a |
C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
| MD5 | f6e70fbfe1d53b8d9d6d0b273542a7f7 |
| SHA1 | 1f962079e158b2b0b27a02e6985a14e5f739d368 |
| SHA256 | ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa |
| SHA512 | 2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61 |
memory/3888-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-BSTBJ.tmp\LabPicV3.tmp
| MD5 | dda84ebcc3c9968655702f7a6da23e1f |
| SHA1 | 8514f2e9eab129bd8288d5f13cf0030cae2e7fc5 |
| SHA256 | 743dcd957b3b1f5401d1812cbae0e546a31eff23507b5238198f8f0e7b65682b |
| SHA512 | e54f70e0876b7f566b9889874c20b75eb7c264184a2e2e7067f6b5b5940331818c1bcf4e263b32e3d71c62f5f0c2880c07dabeb1d9742a3990231f6e459a61e8 |
memory/3940-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-OO1UR.tmp\lylal220.tmp
| MD5 | 93839f8c15234e4c8f1f9d0f285400a0 |
| SHA1 | afedb5526c9962a6257dbd0b805ed76f9f26b093 |
| SHA256 | 449895149bf2a3864240e6ce912b90023cbf391adea2e35bcad7c73cb169b1a6 |
| SHA512 | 69e77f62d27f1466576725d0c802437813bbff1af010b7460dfcd3f6cfa79de808f166bae437258cafbfcefb8d9de6ab658cdedb2e63d98a77f571b5e4ae77e7 |
C:\Users\Admin\AppData\Local\Temp\is-72E2E.tmp\Versium.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1908-177-0x00000000001C0000-0x000000000081F000-memory.dmp
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
| MD5 | a30bdf843d0961c11e78fed101764f74 |
| SHA1 | 0c421c3d2d007a09b9b968ac485464844fa8ca9d |
| SHA256 | 2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219 |
| SHA512 | fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf |
memory/3824-172-0x0000000000000000-mapping.dmp
memory/1084-171-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/3824-182-0x0000000003930000-0x000000000396C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-787AK.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/1084-185-0x0000000000E70000-0x0000000000E90000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/1084-186-0x0000000000E90000-0x0000000000E91000-memory.dmp
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
| MD5 | 1cb9c1b506a1a0e472ba4ed650b84f68 |
| SHA1 | 967034fcd28bcf9650b4fb55cc3eee487d56bd7b |
| SHA256 | c16b2b130f8099f72465ea300b41f14efa56ee8d76e8da80f048203aff69b1e4 |
| SHA512 | 5df9c7b9ae0fa91209e92967034336f0ed8c5e884df3e89cdba59ca0d566d7419975cc8154cff41d6a71596b929ac48e4719ced06dd347f342db4eef796e6f9a |
memory/4008-165-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files (x86)\Data Finder\Versium Research\Versium.exe
| MD5 | f6e70fbfe1d53b8d9d6d0b273542a7f7 |
| SHA1 | 1f962079e158b2b0b27a02e6985a14e5f739d368 |
| SHA256 | ba0da2f848a7beeb8109b7a4baa6f79434be60a47a3ae9a980b29568d53eb8aa |
| SHA512 | 2a951950502ec835bea6ef875b519941d05f00a96dd0b6b9aef59b40723d32a5a6d546e4ba39650e046bc7dd1e23eba383fc41b8f96cf5ffe406a2f17fdb5b61 |
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
| MD5 | 1e09b73afa67d8bfe8591eb605cef0e3 |
| SHA1 | 147fdec45342a0e069dd1aeea2c109440894bef9 |
| SHA256 | 431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286 |
| SHA512 | b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49 |
memory/2396-162-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1308-157-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4008-158-0x0000000000000000-mapping.dmp
memory/2396-155-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
| MD5 | 1e09b73afa67d8bfe8591eb605cef0e3 |
| SHA1 | 147fdec45342a0e069dd1aeea2c109440894bef9 |
| SHA256 | 431c13d939d7460db6ec5f524145a93fae7711d61344fbf1898cea7895480286 |
| SHA512 | b74516b1f3d241790537aaaaf9c8b90bd2edbcf2e7693c166b11c260d6689b9e0f2a9c25b5e6787d6c717eb9ad64605b783bdd1ac09a9b50f211112007c27a49 |
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
| MD5 | a30bdf843d0961c11e78fed101764f74 |
| SHA1 | 0c421c3d2d007a09b9b968ac485464844fa8ca9d |
| SHA256 | 2c709b91decabb0daca10556e5cdd3a5efc6422ee1e27d9914475a26fa7cf219 |
| SHA512 | fea2281da0325f27e78483117356776400f01760c13bd3fab7c2f6ac91d5eb64300b820dedc9b55c84ecdeb7132b700a366046789b30b7ad7c9d0b9f577847bf |
memory/1084-187-0x0000000000EC0000-0x0000000000EC2000-memory.dmp
memory/3888-188-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3940-189-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3824-190-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3824-194-0x0000000005020000-0x0000000005021000-memory.dmp
memory/4348-193-0x0000000000000000-mapping.dmp
memory/3824-202-0x0000000005050000-0x0000000005051000-memory.dmp
\Users\Admin\AppData\Local\Temp\install.dll
| MD5 | 5e6df381ce1c9102799350b7033e41df |
| SHA1 | f8a4012c9547d9bb2faecfba75fc69407aaec288 |
| SHA256 | 01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7 |
| SHA512 | a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d |
C:\Users\Admin\AppData\Local\Temp\install.dll
| MD5 | 5e6df381ce1c9102799350b7033e41df |
| SHA1 | f8a4012c9547d9bb2faecfba75fc69407aaec288 |
| SHA256 | 01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7 |
| SHA512 | a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d |
memory/3824-199-0x0000000005040000-0x0000000005041000-memory.dmp
memory/4368-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | 7fee8223d6e4f82d6cd115a28f0b6d58 |
| SHA1 | 1b89c25f25253df23426bd9ff6c9208f1202f58b |
| SHA256 | a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59 |
| SHA512 | 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4 |
memory/3824-195-0x0000000005030000-0x0000000005031000-memory.dmp
memory/3824-192-0x0000000005010000-0x0000000005011000-memory.dmp
memory/3824-191-0x0000000005000000-0x0000000005001000-memory.dmp
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
| MD5 | 96a80d0e7aafd552c6857ef310d64c7d |
| SHA1 | b4f308a47c85a76e22b01cc6291c70a4e459ebe2 |
| SHA256 | 1e706fc40379884d40b62ab4f6b26cd576447d93fc429123a2eae1b9c26892db |
| SHA512 | f2671402c7eee989b62a0367eeba766ae7ac1dddfbbb45c4c62799112b8638fc798c79bb1772aa3a7a51e404239feb633ba2a03aebb84dd04a69adc47e2954b4 |
memory/1308-153-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
| MD5 | 1035dfc35230ab6c46a141d8c649e920 |
| SHA1 | 5eae1278d9f39b851f0629b5f96fe59b0aeb6c15 |
| SHA256 | 60e93671b7e6ca75ddb53a4a2018a2b4d7873c0def05b0cc8392575e30cbe080 |
| SHA512 | 0dd87bd8c8a58fd5f3d17b16e87873cffb74efa34c3bf7ce2b009806daaf7a50d7747ba5cd0a758870cc5ff7634c2771e8b8a950c542ec46c5e2a807b46087d2 |
memory/1456-150-0x0000000000000000-mapping.dmp
memory/1084-147-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
| MD5 | 6bd341bfca324b52dfa4f696c7978025 |
| SHA1 | 09029b634ff31a7e2cc903f2e1580bc6f554558d |
| SHA256 | faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6 |
| SHA512 | d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216 |
memory/3824-203-0x0000000005060000-0x0000000005061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.dat
| MD5 | 77038c199399d4830a6bf570d46c4edb |
| SHA1 | 6158a9e03e797535e4438bf2f995c4904ed16079 |
| SHA256 | 9051a4489a9fa483934b8df5146cc5cb6c55a6f74fd58b266f731dffa4a3271e |
| SHA512 | 191f8cf61672b2c1fd23cfe7fad6b9341181f593f5c2dcef5f7db07918572b596ff8c078800ed4d4ea9e143ddbce99a8a445137a3737684f7e06aa6fc25d8b3d |
memory/3896-209-0x000001D020F50000-0x000001D020F9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe
| MD5 | 6f80701718727602e7196b1bba7fac1b |
| SHA1 | c7a2c1534c20ca36c92f7f16cb6c1b4ab684f63d |
| SHA256 | bcd3d6619e7ba03b2828060977aca8ad4f925ad92b2175d0567ecc81f7da3e20 |
| SHA512 | dc6232b465b778f003cdef2d9b60dbd89b1b66b5aa0c2e2efa3a1b5bfa48fef03545a205f71da64da2ef206728c0e33c2b8d641617da9fd4df83ab154304c6a1 |
C:\Users\Admin\AppData\Local\Temp\is-NABEL.tmp\4_177039.exe
| MD5 | 6f80701718727602e7196b1bba7fac1b |
| SHA1 | c7a2c1534c20ca36c92f7f16cb6c1b4ab684f63d |
| SHA256 | bcd3d6619e7ba03b2828060977aca8ad4f925ad92b2175d0567ecc81f7da3e20 |
| SHA512 | dc6232b465b778f003cdef2d9b60dbd89b1b66b5aa0c2e2efa3a1b5bfa48fef03545a205f71da64da2ef206728c0e33c2b8d641617da9fd4df83ab154304c6a1 |
memory/3896-214-0x000001D021010000-0x000001D021080000-memory.dmp
memory/4528-216-0x00007FF7CC9C4060-mapping.dmp
memory/2536-224-0x0000018121CD0000-0x0000018121D40000-memory.dmp
memory/4604-223-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe
| MD5 | 02398f9746a8cdebb2bc1cb9ccb40e70 |
| SHA1 | fad0116890819ed4b83ae2014134e901aee88597 |
| SHA256 | 4b7105a1cb274a12c7941cde88be0a8ed7d8fffb40a49d76b8a6d6c9a8264a7d |
| SHA512 | 54ff56ec3eb85aaffa95ecae8dd4e244f9725eab3a87951ed11c6143531e5af7a13d4e3662befd1038d1ae9e3ad804f7b55ee08577c9cb5994cf91f420ebaf62 |
C:\Users\Admin\AppData\Local\Temp\is-787AK.tmp\3316505.exe
| MD5 | 02398f9746a8cdebb2bc1cb9ccb40e70 |
| SHA1 | fad0116890819ed4b83ae2014134e901aee88597 |
| SHA256 | 4b7105a1cb274a12c7941cde88be0a8ed7d8fffb40a49d76b8a6d6c9a8264a7d |
| SHA512 | 54ff56ec3eb85aaffa95ecae8dd4e244f9725eab3a87951ed11c6143531e5af7a13d4e3662befd1038d1ae9e3ad804f7b55ee08577c9cb5994cf91f420ebaf62 |
memory/1008-231-0x00000133CC560000-0x00000133CC5D0000-memory.dmp
memory/4604-230-0x0000000002690000-0x0000000002692000-memory.dmp
memory/4528-226-0x00000220281D0000-0x0000022028240000-memory.dmp
memory/4456-215-0x0000000002B70000-0x0000000002B72000-memory.dmp
memory/3824-211-0x0000000005070000-0x0000000005071000-memory.dmp
memory/4456-207-0x0000000000000000-mapping.dmp
memory/4368-206-0x0000000004E30000-0x0000000004E8C000-memory.dmp
memory/4368-205-0x0000000004F9E000-0x000000000509F000-memory.dmp
memory/4716-232-0x0000000000000000-mapping.dmp
memory/3824-239-0x0000000005080000-0x0000000005081000-memory.dmp
C:\Users\Admin\AppData\Roaming\6046326.exe
| MD5 | 09656265d56f17fa65d3f634304cee06 |
| SHA1 | 90a187289521fb17d14159409f92560afa841853 |
| SHA256 | edce208bc9457bfc328318d25e010fde7eb88fad6c9eb85e5df45cea1e1f5973 |
| SHA512 | 86f0b4aaeb3a452185fae53e315002c9d5075783d41a37ac6365071692451fed9bbc9e8867b89bdc7cc3f8b3bda4603b741c39fb2efd6f685d6d6cc293c9117c |
C:\Users\Admin\AppData\Roaming\6046326.exe
| MD5 | 09656265d56f17fa65d3f634304cee06 |
| SHA1 | 90a187289521fb17d14159409f92560afa841853 |
| SHA256 | edce208bc9457bfc328318d25e010fde7eb88fad6c9eb85e5df45cea1e1f5973 |
| SHA512 | 86f0b4aaeb3a452185fae53e315002c9d5075783d41a37ac6365071692451fed9bbc9e8867b89bdc7cc3f8b3bda4603b741c39fb2efd6f685d6d6cc293c9117c |
memory/4776-240-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe
| MD5 | e61830bdcf96e90ebacce5abe82e2d98 |
| SHA1 | 22a4e726642321f2e03a3761f456dc12bcd2f18a |
| SHA256 | 5b08e682676d772de17ed7f99d0446fe86c7f39a6b96569f80f48134ce8b5de2 |
| SHA512 | 11f0891d0deb9d0452338450a98f30ecf74ac78dfac5c60511b2920df6faf34c43307413a44ee2d43734f7627fd266de4d3a6b127656cc8cf6a767f2f14f2a02 |
memory/3824-256-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/4804-257-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
memory/4776-261-0x0000000004F00000-0x0000000004F01000-memory.dmp
memory/4776-265-0x0000000000F00000-0x0000000000F09000-memory.dmp
memory/1064-270-0x0000021D7A270000-0x0000021D7A2E0000-memory.dmp
memory/4804-271-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
memory/4968-276-0x00000000004E0000-0x00000000004E1000-memory.dmp
memory/4804-277-0x0000000002FD0000-0x0000000002FD1000-memory.dmp
memory/4804-279-0x0000000002FC0000-0x0000000002FD0000-memory.dmp
memory/964-280-0x0000028D5D180000-0x0000028D5D1F0000-memory.dmp
memory/4804-282-0x000000000E670000-0x000000000E671000-memory.dmp
memory/4804-286-0x000000000E250000-0x000000000E251000-memory.dmp
memory/4716-287-0x00000000025E0000-0x0000000002611000-memory.dmp
memory/4968-288-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/4804-290-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/4716-291-0x0000000002630000-0x0000000002631000-memory.dmp
memory/3824-284-0x00000000050D0000-0x00000000050D1000-memory.dmp
memory/3824-272-0x00000000050C0000-0x00000000050C1000-memory.dmp
memory/3824-267-0x00000000050B0000-0x00000000050B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\3708586.exe
| MD5 | e386077aeee9c3cd8ad3e3d0ec38f678 |
| SHA1 | a4e1934607d61e75b8759721b4c0d224e3b816a9 |
| SHA256 | 7580df0af17fd6c0ff1705db3e69e13871ab497d94fcddd82c96203020799d14 |
| SHA512 | 1b0fa3026edc6247bc1c5991efa62b2b219c746f0b46ae3eb45c2e8f54ff639c555fb4698192681a05d1eac17d9001033665a2a8fe52600c1bb4c1439d515afb |
C:\Users\Admin\AppData\Roaming\3708586.exe
| MD5 | e386077aeee9c3cd8ad3e3d0ec38f678 |
| SHA1 | a4e1934607d61e75b8759721b4c0d224e3b816a9 |
| SHA256 | 7580df0af17fd6c0ff1705db3e69e13871ab497d94fcddd82c96203020799d14 |
| SHA512 | 1b0fa3026edc6247bc1c5991efa62b2b219c746f0b46ae3eb45c2e8f54ff639c555fb4698192681a05d1eac17d9001033665a2a8fe52600c1bb4c1439d515afb |
memory/4968-263-0x0000000000000000-mapping.dmp
memory/4716-260-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/2336-258-0x0000023ABF850000-0x0000023ABF8C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\5880758.exe
| MD5 | 1bdd3ee74209de8dd84a2edd67447ee7 |
| SHA1 | 5c612f2ad8b0212e98e198f77b71d82f549fe246 |
| SHA256 | 6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd |
| SHA512 | 2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91 |
memory/4776-250-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-MEFEE.tmp\Setup.exe
| MD5 | e61830bdcf96e90ebacce5abe82e2d98 |
| SHA1 | 22a4e726642321f2e03a3761f456dc12bcd2f18a |
| SHA256 | 5b08e682676d772de17ed7f99d0446fe86c7f39a6b96569f80f48134ce8b5de2 |
| SHA512 | 11f0891d0deb9d0452338450a98f30ecf74ac78dfac5c60511b2920df6faf34c43307413a44ee2d43734f7627fd266de4d3a6b127656cc8cf6a767f2f14f2a02 |
C:\Users\Admin\AppData\Roaming\5880758.exe
| MD5 | 1bdd3ee74209de8dd84a2edd67447ee7 |
| SHA1 | 5c612f2ad8b0212e98e198f77b71d82f549fe246 |
| SHA256 | 6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd |
| SHA512 | 2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91 |
memory/4716-244-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/3824-245-0x0000000005090000-0x0000000005091000-memory.dmp
memory/4804-242-0x0000000000000000-mapping.dmp
memory/2376-241-0x000001565C440000-0x000001565C4B0000-memory.dmp
memory/4968-297-0x0000000004BF0000-0x0000000004C2A000-memory.dmp
memory/4968-299-0x0000000002710000-0x0000000002711000-memory.dmp
C:\ProgramData\Windows Host\Windows Host.exe
| MD5 | 1bdd3ee74209de8dd84a2edd67447ee7 |
| SHA1 | 5c612f2ad8b0212e98e198f77b71d82f549fe246 |
| SHA256 | 6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd |
| SHA512 | 2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91 |
C:\ProgramData\Windows Host\Windows Host.exe
| MD5 | 1bdd3ee74209de8dd84a2edd67447ee7 |
| SHA1 | 5c612f2ad8b0212e98e198f77b71d82f549fe246 |
| SHA256 | 6c926f68db1044f0d53e77ffdee6d6e6250482542ffa502101a38e547881b3fd |
| SHA512 | 2c083d856b3b3ea8d2abc280a43831febf70d382a3a40f4c2614e964946fdb29d95c28508c2e161034005e1af51b7967a76aa0a0396de8948de3d34d52421e91 |
memory/4748-305-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4748-307-0x0000000000416372-mapping.dmp
memory/4380-298-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | f955bb3f3c06d20e3331132d86179b0b |
| SHA1 | 8c1af9a20a8643df359962ee747c7e188af3b022 |
| SHA256 | c2100f6df1e8d98a437826cb41c8cff5e169294d8bae14eb7428bdb78f2fad3c |
| SHA512 | b0027d89ffd407821dfac06d5b27cb55fb556670f09587e39017e77c645b1cb9b5a2369ac97223ff224e034d21cad9b3e6fc85daf3359646407f10597419bfe9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 15775d95513782f99cdfb17e65dfceb1 |
| SHA1 | 6c11f8bee799b093f9ff4841e31041b081b23388 |
| SHA256 | 477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00 |
| SHA512 | ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7 |
memory/3332-313-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
| MD5 | a6279ec92ff948760ce53bba817d6a77 |
| SHA1 | 5345505e12f9e4c6d569a226d50e71b5a572dce2 |
| SHA256 | 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181 |
| SHA512 | 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c |
memory/4976-316-0x0000000000000000-mapping.dmp
C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe
| MD5 | 7233b5ee012fa5b15872a17cec85c893 |
| SHA1 | 1cddbafd69e119ec5ab5c489420d4c74a523157b |
| SHA256 | 46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628 |
| SHA512 | 716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f |
C:\Program Files\Reference Assemblies\ZNIPNUVKZY\prolab.exe
| MD5 | 7233b5ee012fa5b15872a17cec85c893 |
| SHA1 | 1cddbafd69e119ec5ab5c489420d4c74a523157b |
| SHA256 | 46a209c1f32c304a878395b6df5b2e306fd6eea0db40f0bab0a6d71eeb6b8628 |
| SHA512 | 716ff0dfd097e178d1023fe9e65720bc36b94d291811211a57193df7605616db1752dabaf5637a361c9996510242a71fc58d173605e251d733ae6431da9a1b4f |
memory/4296-319-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp
| MD5 | 47006dae5dde9f202bd32aec59100cc7 |
| SHA1 | bee5cf5cedd4d8c7aa4795285470f9745da857ef |
| SHA256 | ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f |
| SHA512 | 3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e |
C:\Users\Admin\AppData\Local\Temp\is-K0CNT.tmp\prolab.tmp
| MD5 | 47006dae5dde9f202bd32aec59100cc7 |
| SHA1 | bee5cf5cedd4d8c7aa4795285470f9745da857ef |
| SHA256 | ca6f4924a4cd5948178a17aa622433c83ee53bf06d0417adb85a29a941f4385f |
| SHA512 | 3f0d0f0fa4ae8640554a634bada4fd985f7b369db6f74145e21fe3e2a8040ea8cf213a4f06bfacb1085ef35d161e97eba7eb278ebd33959e22e68bff4c56831e |
C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe
| MD5 | cf23a2e9f68d53f1da259c1797e56841 |
| SHA1 | 1a069c8bb82e0e83c682c8850c97587906a5f6a6 |
| SHA256 | e1c2113df7a950d15d5dbb99df8570393965c0a03b570986ad289d876b80c4dc |
| SHA512 | 28446ec0b2a7649c0ade7a1653c6d86c8f3b90f4ee153fa1e9cf898cca7463f615b50f9e992738c9a8d6646b60f74f914ff146c8b536cd63cba40709e81ce0dc |
memory/5000-322-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
C:\Users\Admin\AppData\Local\Temp\6e-c0360-ec9-b5ca4-c36d8e121f337\Vaezhalyqypy.exe
| MD5 | cf23a2e9f68d53f1da259c1797e56841 |
| SHA1 | 1a069c8bb82e0e83c682c8850c97587906a5f6a6 |
| SHA256 | e1c2113df7a950d15d5dbb99df8570393965c0a03b570986ad289d876b80c4dc |
| SHA512 | 28446ec0b2a7649c0ade7a1653c6d86c8f3b90f4ee153fa1e9cf898cca7463f615b50f9e992738c9a8d6646b60f74f914ff146c8b536cd63cba40709e81ce0dc |
memory/5008-326-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\12-0258c-52f-c96a4-1015417e2eed2\ZHowoqaeqami.exe
| MD5 | ae4a8c201b070ee94488bb8862ed4ec5 |
| SHA1 | ce45eac5d66c15885e1bccf846b09ea71a79cbc0 |
| SHA256 | 8d5acffbaadbb5698a52baa31f2b4a073a3178366bc96b9b625142ef0201fd94 |
| SHA512 | 95bc24dd22dd788c3ae0e1b4989cbc57560b051db193fb88daf554400098de2d588b5e113dff8ccdd0427ea1305cb082d62276f88bd41ab01416f6b0bf7d406d |
C:\Users\Admin\AppData\Local\Temp\12-0258c-52f-c96a4-1015417e2eed2\ZHowoqaeqami.exe.config
| MD5 | 98d2687aec923f98c37f7cda8de0eb19 |
| SHA1 | f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7 |
| SHA256 | 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465 |
| SHA512 | 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590 |
C:\Users\Admin\AppData\Local\Temp\12-0258c-52f-c96a4-1015417e2eed2\ZHowoqaeqami.exe
| MD5 | ae4a8c201b070ee94488bb8862ed4ec5 |
| SHA1 | ce45eac5d66c15885e1bccf846b09ea71a79cbc0 |
| SHA256 | 8d5acffbaadbb5698a52baa31f2b4a073a3178366bc96b9b625142ef0201fd94 |
| SHA512 | 95bc24dd22dd788c3ae0e1b4989cbc57560b051db193fb88daf554400098de2d588b5e113dff8ccdd0427ea1305cb082d62276f88bd41ab01416f6b0bf7d406d |
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
| MD5 | b7161c0845a64ff6d7345b67ff97f3b0 |
| SHA1 | d223f855da541fe8e4c1d5c50cb26da0a1deb5fc |
| SHA256 | fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66 |
| SHA512 | 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680 |
memory/4000-331-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe
| MD5 | 6580a339df599fa8e009cccd08443c45 |
| SHA1 | d20527ca7b9ef9833dabe500980528c204e24838 |
| SHA256 | 6fadd81f3cbc295ee85e553a900159840805c45ceb73a841ed03c1404a61827d |
| SHA512 | a8bce887d14a0978dbb2059705e128f864db1e117a4a4cec584a2aa3eafbe715e39bbfe91dc19bdebfac750944940b9308d9416054452333ad08d1aadb669960 |
C:\Program Files\MSBuild\FFAPFUVHMT\irecord.exe
| MD5 | 6580a339df599fa8e009cccd08443c45 |
| SHA1 | d20527ca7b9ef9833dabe500980528c204e24838 |
| SHA256 | 6fadd81f3cbc295ee85e553a900159840805c45ceb73a841ed03c1404a61827d |
| SHA512 | a8bce887d14a0978dbb2059705e128f864db1e117a4a4cec584a2aa3eafbe715e39bbfe91dc19bdebfac750944940b9308d9416054452333ad08d1aadb669960 |
memory/4420-334-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-OT4HG.tmp\irecord.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/508-336-0x0000000000000000-mapping.dmp
memory/4908-337-0x0000000000000000-mapping.dmp
memory/1880-338-0x0000000000000000-mapping.dmp
memory/1112-339-0x0000000000000000-mapping.dmp
memory/3032-340-0x0000000000000000-mapping.dmp
memory/4804-341-0x0000000000000000-mapping.dmp
memory/2312-342-0x0000000000000000-mapping.dmp
memory/4724-343-0x0000000000000000-mapping.dmp
memory/440-344-0x0000000000000000-mapping.dmp
memory/5040-345-0x0000000000000000-mapping.dmp
memory/5272-346-0x0000000000000000-mapping.dmp
memory/5284-347-0x0000000000000000-mapping.dmp
memory/5392-348-0x0000000000000000-mapping.dmp
memory/5456-349-0x0000000000000000-mapping.dmp
memory/5628-350-0x0000000000000000-mapping.dmp
memory/5700-351-0x0000000000000000-mapping.dmp
memory/5872-352-0x0000000000000000-mapping.dmp
memory/5908-353-0x0000000000000000-mapping.dmp
memory/6000-354-0x0000000000000000-mapping.dmp
memory/6140-355-0x0000000000000000-mapping.dmp
memory/4760-356-0x0000000000000000-mapping.dmp
memory/5168-357-0x0000000000000000-mapping.dmp
memory/4460-358-0x0000000000000000-mapping.dmp
memory/5164-359-0x0000000000000000-mapping.dmp
memory/5324-360-0x0000000000000000-mapping.dmp
memory/5652-361-0x0000000000000000-mapping.dmp
memory/3928-362-0x0000000000000000-mapping.dmp
memory/5152-363-0x0000000000000000-mapping.dmp
memory/5920-364-0x0000000000000000-mapping.dmp
memory/4212-365-0x0000000000000000-mapping.dmp
memory/4600-366-0x0000000000000000-mapping.dmp
memory/5128-368-0x0000000000000000-mapping.dmp
memory/5968-367-0x0000000000000000-mapping.dmp
memory/6180-369-0x0000000000000000-mapping.dmp