Malware Analysis Report

2024-10-19 05:44

Sample ID 210526-cxl24bzxyj
Target ac7560fd5eae593bc3dd81a19f68647f.exe
SHA256 f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9
Tags
elysiumstealer plugx vidar discovery evasion persistence spyware stealer trojan vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f92ea3668a35fbf6e26ba93ed3c2ee31235e41013b79cd661aa061d1327540d9

Threat Level: Likely malicious

The file ac7560fd5eae593bc3dd81a19f68647f.exe was found to be: Likely malicious.

Malicious Activity Summary

elysiumstealer plugx vidar discovery evasion persistence spyware stealer trojan vmprotect

Vidar

ElysiumStealer

PlugX

Checks for common network interception software

Executes dropped EXE

Drops file in Drivers directory

Downloads MZ/PE file

VMProtect packed file

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Reads local data of messenger clients

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-06 22:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-26 16:56

Reported

2021-05-26 16:58

Platform

win7v20210408

Max time kernel

38s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PI3FM.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe

"C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"

C:\Users\Admin\AppData\Local\Temp\is-PI3FM.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PI3FM.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp" /SL5="$30028,140518,56832,C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 limesfile.com udp
N/A 8.8.8.8:53 limesfile.com udp

Files

memory/1776-59-0x0000000075C31000-0x0000000075C33000-memory.dmp

memory/1776-60-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-PI3FM.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/1436-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-PI3FM.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/1436-66-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NJBVB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-NJBVB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-NJBVB.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-26 16:56

Reported

2021-05-26 16:58

Platform

win10v20210410

Max time kernel

45s

Max time network

144s

Command Line

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

Signatures

ElysiumStealer

stealer elysiumstealer

PlugX

trojan plugx

Vidar

stealer vidar

Checks for common network interception software

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-1P6JM.tmp\4_177039.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
N/A N/A C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe N/A
N/A N/A C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7784645.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\md9_9sjm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3ONJS.tmp\LabPicV3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TU42F.tmp\lylal220.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uoe51pky.4oh\005.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1P6JM.tmp\4_177039.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1930402.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7784645.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7619077.exe N/A
N/A N/A C:\ProgramData\Windows Host\Windows Host.exe N/A
N/A N/A C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62-45df1-aa8-ae88b-4e03a253ea766\Kaebaxunega.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6-669d3-ac6-06db5-2b237c3fca8f6\Wipaeperyre.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\x1lkyjln.g4w\001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u0vutlnl.mx5\installer.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\7784645.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rUNdlL32.eXe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3ONJS.tmp\LabPicV3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TU42F.tmp\lylal220.tmp N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe N/A
N/A N/A C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Kydedahaedi.exe\"" C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" C:\Users\Admin\AppData\Roaming\7784645.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Data Finder\\Dahaeninobae.exe\"" C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 c:\windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 c:\windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1628 set thread context of 4448 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File created C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File created C:\Program Files (x86)\Picture Lab\is-6P0E1.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-URJ5L.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\AForge.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-QDACO.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\MSBuild\Kydedahaedi.exe.config C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Math.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File opened for modification C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Data Finder\Dahaeninobae.exe C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A
File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-0KO1D.tmp C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\md9_9sjm.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\SourceLibrary.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-7IDVN.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
File created C:\Program Files (x86)\MSBuild\Kydedahaedi.exe C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\SourceGrid2.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-J2THS.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-3IL85.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\UltraMediaBurner\is-QM68T.tmp C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-QKT8J.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Data Finder\Dahaeninobae.exe.config C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A
File created C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A
File created C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe.config C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe N/A
File opened for modification C:\Program Files (x86)\Picture Lab\Pictures Lab.exe C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-EQCEH.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-EB30R.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File opened for modification C:\Program Files (x86)\Picture Lab\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
File created C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe.config C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
File opened for modification C:\Program Files (x86)\Picture Lab\DockingToolbar.dll C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\Picture Lab\is-DVP9E.tmp C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp N/A
File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI6B15.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI700A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAA7A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB964.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7466ed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6806.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB8D6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB2C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAA2B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2E6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA817.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBA40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBAAE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBF74.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6E44.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI722E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB7CC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6C4E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F4A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA084.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D78.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\Installer\f7466ed.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB47F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7466f0.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\7619077.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "xebj6mn" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4626b3a15052d701 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "2202" C:\Windows\SysWOW64\rUNdlL32.eXe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F} C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{C817F39E-7C5E-439A-8EA0-9EA2411AFF99}" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp
PID 3876 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp
PID 3876 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp
PID 1784 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe
PID 1784 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe
PID 2788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe
PID 2788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe
PID 2788 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe
PID 1908 wrote to memory of 360 N/A C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp
PID 1908 wrote to memory of 360 N/A C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp
PID 1908 wrote to memory of 360 N/A C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp
PID 2788 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe
PID 2788 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe
PID 360 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 360 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
PID 2788 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe
PID 2788 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe
PID 3880 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 4848 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe
PID 4848 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe
PID 4848 wrote to memory of 5028 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe
PID 3880 wrote to memory of 5320 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 5320 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 5648 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 5648 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 5648 wrote to memory of 5816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe
PID 5648 wrote to memory of 5816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe
PID 5648 wrote to memory of 5816 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe
PID 3880 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 4180 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe
PID 4180 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe
PID 4180 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe
PID 4368 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp
PID 4368 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp
PID 4368 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp
PID 4872 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 4524 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5816 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 5816 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 5816 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe C:\Windows\SysWOW64\msiexec.exe
PID 4872 wrote to memory of 5208 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 5208 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4872 wrote to memory of 5208 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3880 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 5368 wrote to memory of 5480 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\7784645.exe
PID 5368 wrote to memory of 5480 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\7784645.exe
PID 5368 wrote to memory of 5480 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\7784645.exe
PID 5208 wrote to memory of 5584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\taskkill.exe
PID 5208 wrote to memory of 5584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\taskkill.exe
PID 5208 wrote to memory of 5584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\taskkill.exe
PID 5480 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Roaming\7784645.exe C:\Windows\SysWOW64\rUNdlL32.eXe
PID 5480 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Roaming\7784645.exe C:\Windows\SysWOW64\rUNdlL32.eXe
PID 5480 wrote to memory of 5948 N/A C:\Users\Admin\AppData\Roaming\7784645.exe C:\Windows\SysWOW64\rUNdlL32.eXe
PID 3880 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 3880 wrote to memory of 6060 N/A C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe C:\Windows\System32\cmd.exe
PID 5948 wrote to memory of 1628 N/A C:\Windows\SysWOW64\rUNdlL32.eXe \??\c:\windows\system32\svchost.exe
PID 5948 wrote to memory of 2760 N/A C:\Windows\SysWOW64\rUNdlL32.eXe c:\windows\system32\svchost.exe
PID 1628 wrote to memory of 4448 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 1628 wrote to memory of 4448 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 1628 wrote to memory of 4448 N/A \??\c:\windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Processes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe

"C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s BITS

C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp" /SL5="$50032,140518,56832,C:\Users\Admin\AppData\Local\Temp\ac7560fd5eae593bc3dd81a19f68647f.exe"

C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe

"C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe" /S /UID=burnerch3

C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe

"C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp" /SL5="$5004C,281924,62464,C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe

"C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe"

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe

"C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe & exit

C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe

C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i3rql11h.wxk\GcleanerEU.exe /eufive & exit

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe /qn CAMPAIGN="654" & exit

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe

C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe /qn CAMPAIGN="654"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe /Verysilent /subid=623 & exit

C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe

C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe /Verysilent /subid=623

C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp" /SL5="$2022A,138429,56832,C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe" /Verysilent /subid=623

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CFFD86196963D8B029FACA8491EF1AE7 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621789121 /qn CAMPAIGN=""654"" " CAMPAIGN="654"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6DC8F53BD7A49BC6CA5B146E4A63E2D1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\23ul0v3c.1el\google-game.exe & exit

C:\Users\Admin\AppData\Local\Temp\23ul0v3c.1el\google-game.exe

C:\Users\Admin\AppData\Local\Temp\23ul0v3c.1el\google-game.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kyanyvm2.wnf\GcleanerWW.exe /mixone & exit

C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe" /Verysilent

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uoe51pky.4oh\005.exe & exit

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SystemNetworkService

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"

C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe

"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"

C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe

"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"

C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe

"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"

C:\Program Files (x86)\Data Finder\Versium Research\md9_9sjm.exe

"C:\Program Files (x86)\Data Finder\Versium Research\md9_9sjm.exe"

C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe

"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"

C:\Users\Admin\AppData\Local\Temp\is-3ONJS.tmp\LabPicV3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3ONJS.tmp\LabPicV3.tmp" /SL5="$20458,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"

C:\Users\Admin\AppData\Local\Temp\is-TU42F.tmp\lylal220.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TU42F.tmp\lylal220.tmp" /SL5="$20442,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"

C:\Users\Admin\AppData\Local\Temp\uoe51pky.4oh\005.exe

C:\Users\Admin\AppData\Local\Temp\uoe51pky.4oh\005.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\is-1P6JM.tmp\4_177039.exe

"C:\Users\Admin\AppData\Local\Temp\is-1P6JM.tmp\4_177039.exe" /S /UID=lylal220

C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe

"C:\Users\Admin\AppData\Local\Temp\is-2L2JT.tmp\3316505.exe" /S /UID=lab214

C:\Users\Admin\AppData\Roaming\1930402.exe

"C:\Users\Admin\AppData\Roaming\1930402.exe"

C:\Users\Admin\AppData\Roaming\7784645.exe

"C:\Users\Admin\AppData\Roaming\7784645.exe"

C:\Users\Admin\AppData\Roaming\7619077.exe

"C:\Users\Admin\AppData\Roaming\7619077.exe"

C:\ProgramData\Windows Host\Windows Host.exe

"C:\ProgramData\Windows Host\Windows Host.exe"

C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe

"C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0KI5A.tmp\prolab.tmp" /SL5="$501DC,575243,216576,C:\Program Files\Reference Assemblies\MRTVMKMOVJ\prolab.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\62-45df1-aa8-ae88b-4e03a253ea766\Kaebaxunega.exe

"C:\Users\Admin\AppData\Local\Temp\62-45df1-aa8-ae88b-4e03a253ea766\Kaebaxunega.exe"

C:\Users\Admin\AppData\Local\Temp\e6-669d3-ac6-06db5-2b237c3fca8f6\Wipaeperyre.exe

"C:\Users\Admin\AppData\Local\Temp\e6-669d3-ac6-06db5-2b237c3fca8f6\Wipaeperyre.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 89602BD3099AEAB63D0D9D41D731B7AC E Global\MSI0000

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x1lkyjln.g4w\001.exe & exit

C:\Users\Admin\AppData\Local\Temp\x1lkyjln.g4w\001.exe

C:\Users\Admin\AppData\Local\Temp\x1lkyjln.g4w\001.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hrik4fdp.35l\GcleanerEU.exe /eufive & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\u0vutlnl.mx5\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\u0vutlnl.mx5\installer.exe

C:\Users\Admin\AppData\Local\Temp\u0vutlnl.mx5\installer.exe /qn CAMPAIGN="654"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im RunWW.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p44kma5i.tqm\Setup3310.exe /Verysilent /subid=623 & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\p44kma5i.tqm\Setup3310.exe

C:\Users\Admin\AppData\Local\Temp\p44kma5i.tqm\Setup3310.exe /Verysilent /subid=623

C:\Users\Admin\AppData\Local\Temp\is-87F8T.tmp\Setup3310.tmp

"C:\Users\Admin\AppData\Local\Temp\is-87F8T.tmp\Setup3310.tmp" /SL5="$20310,138429,56832,C:\Users\Admin\AppData\Local\Temp\p44kma5i.tqm\Setup3310.exe" /Verysilent /subid=623

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4pn4coia.th0\google-game.exe & exit

C:\Users\Admin\AppData\Local\Temp\is-50FO4.tmp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-50FO4.tmp\Setup.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\4pn4coia.th0\google-game.exe

C:\Users\Admin\AppData\Local\Temp\4pn4coia.th0\google-game.exe

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cedriha4.2r0\GcleanerWW.exe /mixone & exit

C:\Program Files\Windows Security\RIMWRCXLVR\irecord.exe

"C:\Program Files\Windows Security\RIMWRCXLVR\irecord.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-HNKS7.tmp\irecord.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HNKS7.tmp\irecord.tmp" /SL5="$30554,6139911,56832,C:\Program Files\Windows Security\RIMWRCXLVR\irecord.exe" /VERYSILENT

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ynbktkoi.q3p\005.exe & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 2152

C:\Users\Admin\AppData\Local\Temp\44-b5565-2ff-3b78b-3b26ff84d13c0\Nikynekudy.exe

"C:\Users\Admin\AppData\Local\Temp\44-b5565-2ff-3b78b-3b26ff84d13c0\Nikynekudy.exe"

C:\Users\Admin\AppData\Local\Temp\13-33628-8b4-a02bd-2f9ab96b8dd18\Hyqopuqosu.exe

"C:\Users\Admin\AppData\Local\Temp\13-33628-8b4-a02bd-2f9ab96b8dd18\Hyqopuqosu.exe"

C:\Program Files (x86)\recording\i-record.exe

"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu

C:\Users\Admin\AppData\Local\Temp\ynbktkoi.q3p\005.exe

C:\Users\Admin\AppData\Local\Temp\ynbktkoi.q3p\005.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jyechpxi.av5\001.exe & exit

C:\Users\Admin\AppData\Local\Temp\jyechpxi.av5\001.exe

C:\Users\Admin\AppData\Local\Temp\jyechpxi.av5\001.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rryuc1bg.ejj\GcleanerEU.exe /eufive & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2bdvjkuh.fiu\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\2bdvjkuh.fiu\installer.exe

C:\Users\Admin\AppData\Local\Temp\2bdvjkuh.fiu\installer.exe /qn CAMPAIGN="654"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snbjbghs.sd5\Setup3310.exe /Verysilent /subid=623 & exit

C:\Users\Admin\AppData\Local\Temp\snbjbghs.sd5\Setup3310.exe

C:\Users\Admin\AppData\Local\Temp\snbjbghs.sd5\Setup3310.exe /Verysilent /subid=623

C:\Users\Admin\AppData\Local\Temp\is-U5OP8.tmp\Setup3310.tmp

"C:\Users\Admin\AppData\Local\Temp\is-U5OP8.tmp\Setup3310.tmp" /SL5="$403A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\snbjbghs.sd5\Setup3310.exe" /Verysilent /subid=623

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sirnouft.woh\google-game.exe & exit

C:\Users\Admin\AppData\Local\Temp\sirnouft.woh\google-game.exe

C:\Users\Admin\AppData\Local\Temp\sirnouft.woh\google-game.exe

C:\Windows\SysWOW64\rUNdlL32.eXe

"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\44y0x2mi.dtm\GcleanerWW.exe /mixone & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\linclnab.voo\005.exe & exit

C:\Users\Admin\AppData\Local\Temp\linclnab.voo\005.exe

C:\Users\Admin\AppData\Local\Temp\linclnab.voo\005.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xwmbjwbl.5fq\702564a0.exe & exit

C:\Users\Admin\AppData\Local\Temp\xwmbjwbl.5fq\702564a0.exe

C:\Users\Admin\AppData\Local\Temp\xwmbjwbl.5fq\702564a0.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\flobug4h.dfc\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\is-QQH0E.tmp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-QQH0E.tmp\Setup.exe" /Verysilent

C:\Users\Admin\AppData\Local\Temp\flobug4h.dfc\installer.exe

C:\Users\Admin\AppData\Local\Temp\flobug4h.dfc\installer.exe /qn CAMPAIGN="654"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0FA8D13C7EB1533A6C64CAF8C8729828 C

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\flobug4h.dfc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\flobug4h.dfc\ EXE_CMD_LINE="/forcecleanup /wintime 1621789121 /qn CAMPAIGN=""654"" " CAMPAIGN="654"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 88A4B53DD4BC12DB9166068619889187

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding BB5CC04F94C0353F3F055B9E1E112E8F E Global\MSI0000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uwdzzqs3.eah\702564a0.exe & exit

C:\Users\Admin\AppData\Local\Temp\uwdzzqs3.eah\702564a0.exe

C:\Users\Admin\AppData\Local\Temp\uwdzzqs3.eah\702564a0.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lifvaieu.5c1\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\lifvaieu.5c1\installer.exe

C:\Users\Admin\AppData\Local\Temp\lifvaieu.5c1\installer.exe /qn CAMPAIGN="654"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 108B34206F8165CB3DA9A4CBEEA0E270 C

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lifvaieu.5c1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lifvaieu.5c1\ EXE_CMD_LINE="/forcecleanup /wintime 1621789121 /qn CAMPAIGN=""654"" " CAMPAIGN="654"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B65CCBD1FE1721ECCFBADDE76F23B7BA

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E458096F4DA1846B198DC59FD82CD2DB E Global\MSI0000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zlrf11wn.zxr\702564a0.exe & exit

C:\Users\Admin\AppData\Local\Temp\zlrf11wn.zxr\702564a0.exe

C:\Users\Admin\AppData\Local\Temp\zlrf11wn.zxr\702564a0.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iqa2uznl.pw5\installer.exe /qn CAMPAIGN="654" & exit

C:\Users\Admin\AppData\Local\Temp\iqa2uznl.pw5\installer.exe

C:\Users\Admin\AppData\Local\Temp\iqa2uznl.pw5\installer.exe /qn CAMPAIGN="654"

C:\Users\Admin\AppData\Local\Temp\3A5.exe

C:\Users\Admin\AppData\Local\Temp\3A5.exe

C:\Users\Admin\AppData\Local\Temp\219E.exe

C:\Users\Admin\AppData\Local\Temp\219E.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 google.com udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 gclean.biz udp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 8.8.8.8:53 d.jumpstreetboys.com udp
N/A 104.21.62.88:443 d.jumpstreetboys.com tcp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.62.95:443 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 jom.diregame.live udp
N/A 104.21.65.45:443 jom.diregame.live tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 54.166.140.237:443 venetrigni.com tcp
N/A 54.166.140.237:443 venetrigni.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 8.8.8.8:53 d.dirdgame.live udp
N/A 104.21.59.252:443 d.dirdgame.live tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:80 ipinfo.io tcp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 8.8.8.8:53 proxycheck.io udp
N/A 104.26.9.187:80 proxycheck.io tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.64.26:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 52.219.64.26:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 8.8.8.8:53 centralheat.net udp
N/A 3.224.234.39:443 centralheat.net tcp
N/A 3.224.234.39:443 centralheat.net tcp
N/A 8.8.8.8:53 fb.xiaomishop.me udp
N/A 104.18.9.171:443 fb.xiaomishop.me tcp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 8.8.8.8:53 email.yg9.me udp
N/A 8.8.8.8:53 email.yg9.me udp
N/A 198.13.62.186:53 email.yg9.me udp
N/A 8.8.8.8:53 goodmooddevelopment.com udp
N/A 8.8.8.8:53 script.googleusercontent.com udp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 script.google.com udp
N/A 142.250.179.206:443 script.google.com tcp
N/A 101.36.107.74:80 101.36.107.74 tcp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 news-systems.xyz udp
N/A 104.21.33.129:443 news-systems.xyz tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 www.facebook.com udp
N/A 31.13.64.35:443 www.facebook.com tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 8.8.8.8:53 iphonemail.xyz udp
N/A 104.21.40.195:443 iphonemail.xyz tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 global-sc-ltd.com udp
N/A 199.188.201.83:80 global-sc-ltd.com tcp
N/A 8.8.8.8:53 gameshome.xyz udp
N/A 172.67.163.99:443 gameshome.xyz tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 limesfile.com udp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 iw.gamegame.info udp
N/A 104.21.21.221:80 iw.gamegame.info tcp
N/A 8.8.8.8:53 ol.gamegame.info udp
N/A 104.21.21.221:80 ol.gamegame.info tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 reportyuwt4sbackv97qarke3.com udp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 api.faceit.com udp
N/A 104.17.63.50:443 api.faceit.com tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 google.com udp
N/A 172.217.17.36:80 www.google.com tcp
N/A 8.8.8.8:53 connectini.net udp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 162.55.189.102:80 162.55.189.102 tcp
N/A 8.8.8.8:53 centralheat.net udp
N/A 3.224.234.39:443 centralheat.net tcp
N/A 3.224.234.39:443 centralheat.net tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 uyg5wye.2ihsfa.com udp
N/A 88.218.92.148:80 uyg5wye.2ihsfa.com tcp
N/A 8.8.8.8:53 gclean.biz udp
N/A 8.8.8.8:53 collect.installeranalytics.com udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 8.8.8.8:53 script.google.com udp
N/A 142.250.179.206:443 script.google.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 d.jumpstreetboys.com udp
N/A 104.21.62.88:443 d.jumpstreetboys.com tcp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.160.34:443 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 jom.diregame.live udp
N/A 172.67.158.82:443 jom.diregame.live tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 ipinfo.io udp
N/A 34.117.59.81:80 ipinfo.io tcp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 d.dirdgame.live udp
N/A 8.8.8.8:53 proxycheck.io udp
N/A 104.21.59.252:443 d.dirdgame.live tcp
N/A 172.67.75.219:80 proxycheck.io tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.66.68:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 52.219.66.68:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 8.8.8.8:53 www.profitabletrustednetwork.com udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 script.googleusercontent.com udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 fb.xiaomishop.me udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 104.18.8.171:443 fb.xiaomishop.me tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 8.8.8.8:53 musicislife.xyz udp
N/A 172.67.149.133:443 musicislife.xyz tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 142.250.179.206:443 script.google.com tcp
N/A 8.8.8.8:53 venetrigni.com udp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 54.166.140.237:443 venetrigni.com tcp
N/A 54.166.140.237:443 venetrigni.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 198.54.126.101:80 limesfile.com tcp
N/A 8.8.8.8:53 kakstitotako.com udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 goodmooddevelopment.com udp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 172.217.17.36:80 www.google.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.0.210.44:443 connectini.net tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 104.21.62.88:443 d.jumpstreetboys.com tcp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.64.3:443 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 142.250.179.206:443 script.google.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 172.67.158.82:443 jom.diregame.live tcp
N/A 34.117.59.81:80 ipinfo.io tcp
N/A 34.117.59.81:443 ipinfo.io tcp
N/A 104.21.59.252:443 d.dirdgame.live tcp
N/A 172.67.75.219:80 proxycheck.io tcp
N/A 8.8.8.8:53 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com udp
N/A 52.219.62.26:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 52.219.62.26:80 487e1cdf-d447-4909-8e2a-f38d77c6ca2c.s3.ap-south-1.amazonaws.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 104.18.8.171:443 fb.xiaomishop.me tcp
N/A 8.209.75.180:80 gclean.biz tcp
N/A 8.8.8.8:53 tui6zhan.com udp
N/A 47.91.86.73:80 tui6zhan.com tcp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 162.0.220.187:80 reportyuwt4sbackv97qarke3.com tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 142.250.179.206:443 script.google.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 192.243.59.20:443 www.profitabletrustednetwork.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 52.6.50.8:443 kakstitotako.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 142.250.179.206:443 script.google.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 142.250.179.161:443 script.googleusercontent.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 89.221.213.3:80 goodmooddevelopment.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 47.91.86.73:80 tui6zhan.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 20xbtc.com udp
N/A 196.200.111.5:80 20xbtc.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 yzsnw.com udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 collect.installeranalytics.com udp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 47.91.86.73:80 tui6zhan.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 54.226.29.2:443 collect.installeranalytics.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 37.120.239.108:80 37.120.239.108 tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 176.111.174.89:80 176.111.174.89 tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 186.74.208.84:80 yzsnw.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 htagzdownload.pw udp

Files

memory/3876-114-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1784-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-LUBCF.tmp\ac7560fd5eae593bc3dd81a19f68647f.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1784-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2788-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe

MD5 335422af74a313364c6bf3cef6c92214
SHA1 4bca4910dd6cf862c7354c21286d385341f525e4
SHA256 46ad07aa17190e4c18de403fc49e5df10bcb8d12d713bb08ab1460f54ad405ca
SHA512 8ac5939208098f1c6b30898d876c2329f29b57b5f4a103d2594e0e858522857109788317de6d83b58f284bf9d8d9e24bea827481dc1d9271b04d8b954d3f252a

C:\Users\Admin\AppData\Local\Temp\is-FDL31.tmp\_____Zi____DanE______10.exe

MD5 335422af74a313364c6bf3cef6c92214
SHA1 4bca4910dd6cf862c7354c21286d385341f525e4
SHA256 46ad07aa17190e4c18de403fc49e5df10bcb8d12d713bb08ab1460f54ad405ca
SHA512 8ac5939208098f1c6b30898d876c2329f29b57b5f4a103d2594e0e858522857109788317de6d83b58f284bf9d8d9e24bea827481dc1d9271b04d8b954d3f252a

memory/2788-123-0x0000000002440000-0x0000000002442000-memory.dmp

memory/1908-124-0x0000000000000000-mapping.dmp

C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/1908-126-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Program Files\7-Zip\MHVSWNXEEY\ultramediaburner.exe

MD5 6103ca066cd5345ec41feaf1a0fdadaf
SHA1 938acc555933ee4887629048be4b11df76bb8de8
SHA256 b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512 a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

memory/360-128-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

C:\Users\Admin\AppData\Local\Temp\is-1DJ8H.tmp\ultramediaburner.tmp

MD5 4e8c7308803ce36c8c2c6759a504c908
SHA1 a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA256 90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512 780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

memory/360-133-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1096-132-0x0000000000000000-mapping.dmp

memory/1096-137-0x00000000022A0000-0x00000000022A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe

MD5 612d02ef111f8afee71eae0990860337
SHA1 0a5380517adc10373f0e414a5507cf7b083051e6
SHA256 739cd5993ac942ef1af123d95cc908eb0ca532f5d16607e1297bff934a4f6718
SHA512 35ca09618bb245ba301780b76d76500ca8d21493e907408ba45dbb7e58d249ae5489a324c13559388868dddfa41c088f486fb9def8ea7645b72e268866072454

C:\Users\Admin\AppData\Local\Temp\f0-ebefa-636-b308e-e2ff6c12bd275\Bobaekofyxe.exe

MD5 612d02ef111f8afee71eae0990860337
SHA1 0a5380517adc10373f0e414a5507cf7b083051e6
SHA256 739cd5993ac942ef1af123d95cc908eb0ca532f5d16607e1297bff934a4f6718
SHA512 35ca09618bb245ba301780b76d76500ca8d21493e907408ba45dbb7e58d249ae5489a324c13559388868dddfa41c088f486fb9def8ea7645b72e268866072454

memory/1936-138-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe

MD5 7124be0b78b9f4976a9f78aaeaed893a
SHA1 804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256 bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA512 49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

memory/3880-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe

MD5 b69916533712a6e84c49a3d8b418981f
SHA1 72157d90c69d8beec2ad94013520e1c8cfea22ef
SHA256 5ac66de712ff5c8b646d4fe463b2f2e3e335b4df28a44d71314d2c1be6fec614
SHA512 4a3dd807f2bb2ac7b8ca30326d5028b7621ee63dd39b8e8bda8f852df2107e5800c7f509f2ffbe8b21aaa0dfa1b25e7d49cda68d9d9bcdcdc6bbde4ffe3f5d6f

C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe

MD5 b69916533712a6e84c49a3d8b418981f
SHA1 72157d90c69d8beec2ad94013520e1c8cfea22ef
SHA256 5ac66de712ff5c8b646d4fe463b2f2e3e335b4df28a44d71314d2c1be6fec614
SHA512 4a3dd807f2bb2ac7b8ca30326d5028b7621ee63dd39b8e8bda8f852df2107e5800c7f509f2ffbe8b21aaa0dfa1b25e7d49cda68d9d9bcdcdc6bbde4ffe3f5d6f

C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Qozhofafimu.exe.config

MD5 98d2687aec923f98c37f7cda8de0eb19
SHA1 f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA256 8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA512 95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

memory/1936-145-0x00000000022D0000-0x00000000022D2000-memory.dmp

memory/3880-146-0x00000000023D0000-0x00000000023D2000-memory.dmp

memory/1936-147-0x00000000022D2000-0x00000000022D4000-memory.dmp

memory/3880-148-0x00000000023D2000-0x00000000023D4000-memory.dmp

memory/1936-149-0x00000000022D4000-0x00000000022D5000-memory.dmp

memory/1936-150-0x00000000022D5000-0x00000000022D7000-memory.dmp

memory/3880-151-0x00000000023D5000-0x00000000023D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78-b4b9d-e22-f51a3-97c4de15bca8b\Kenessey.txt

MD5 97384261b8bbf966df16e5ad509922db
SHA1 2fc42d37fee2c81d767e09fb298b70c748940f86
SHA256 9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512 b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

memory/4848-153-0x0000000000000000-mapping.dmp

memory/5028-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe

MD5 fa8dd39e54418c81ef4c7f624012557c
SHA1 c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA256 0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA512 66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

C:\Users\Admin\AppData\Local\Temp\gayvwq0q.p1t\001.exe

MD5 fa8dd39e54418c81ef4c7f624012557c
SHA1 c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA256 0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA512 66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

memory/5320-157-0x0000000000000000-mapping.dmp

memory/5028-160-0x00000000008C0000-0x00000000008D2000-memory.dmp

memory/5028-159-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\i3rql11h.wxk\GcleanerEU.exe

MD5 4f4adcbf8c6f66dcfc8a3282ac2bf10a
SHA1 c35a9fc52bb556c79f8fa540df587a2bf465b940
SHA256 6b3c238ebcf1f3c07cf0e556faa82c6b8fe96840ff4b6b7e9962a2d855843a0b
SHA512 0d15d65c1a988dfc8cc58f515a9bb56cbaf1ff5cb0a5554700bc9af20a26c0470a83c8eb46e16175154a6bcaad7e280bbfd837a768f9f094da770b7bd3849f88

memory/5648-161-0x0000000000000000-mapping.dmp

memory/5816-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe

MD5 c313ddb7df24003d25bf62c5a218b215
SHA1 20a3404b7e17b530885fa0be130e784f827986ee
SHA256 e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512 542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

C:\Users\Admin\AppData\Local\Temp\wivnt4so.iwc\installer.exe

MD5 c313ddb7df24003d25bf62c5a218b215
SHA1 20a3404b7e17b530885fa0be130e784f827986ee
SHA256 e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512 542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5 2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1 383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA256 39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512 ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

MD5 2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1 383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA256 39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512 ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

memory/4180-169-0x0000000000000000-mapping.dmp

memory/4368-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe

MD5 2c663b3f330f2adfda4339c8990f53c2
SHA1 6ad1c96ac41546be9c8dc7e9135ce461bc4af668
SHA256 b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
SHA512 2b2e8988c56f594658e352b625841cb9ac152483ddc604a42e77e8e6151541fb50b446b25d6861f3975572b461cf5369e349918a638f0cb1acdc24acc2120e0a

C:\Users\Admin\AppData\Local\Temp\5ztbflkf.3p3\Setup3310.exe

MD5 2c663b3f330f2adfda4339c8990f53c2
SHA1 6ad1c96ac41546be9c8dc7e9135ce461bc4af668
SHA256 b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
SHA512 2b2e8988c56f594658e352b625841cb9ac152483ddc604a42e77e8e6151541fb50b446b25d6861f3975572b461cf5369e349918a638f0cb1acdc24acc2120e0a

memory/4368-173-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4436-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-D7K54.tmp\Setup3310.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\INA6027.tmp

MD5 7468eca4e3b4dbea0711a81ae9e6e3f2
SHA1 4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA256 73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA512 3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

memory/4436-182-0x0000000003930000-0x000000000396C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/4524-179-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\MSI6067.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

C:\Users\Admin\AppData\Local\Temp\MSI6067.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

\Users\Admin\AppData\Local\Temp\MSI6318.tmp

MD5 43d68e8389e7df33189d1c1a05a19ac8
SHA1 caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA256 85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA512 58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

C:\Users\Admin\AppData\Local\Temp\MSI6318.tmp

MD5 43d68e8389e7df33189d1c1a05a19ac8
SHA1 caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA256 85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA512 58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

memory/4436-189-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/4436-190-0x0000000005000000-0x0000000005001000-memory.dmp

memory/4436-192-0x0000000005020000-0x0000000005021000-memory.dmp

memory/4436-191-0x0000000005010000-0x0000000005011000-memory.dmp

memory/4436-193-0x0000000005030000-0x0000000005031000-memory.dmp

memory/4436-194-0x0000000005040000-0x0000000005041000-memory.dmp

memory/4436-195-0x0000000005050000-0x0000000005051000-memory.dmp

memory/4436-196-0x0000000005060000-0x0000000005061000-memory.dmp

memory/4436-197-0x0000000005070000-0x0000000005071000-memory.dmp

memory/4436-198-0x0000000005080000-0x0000000005081000-memory.dmp

memory/4436-199-0x0000000005090000-0x0000000005091000-memory.dmp

memory/4436-201-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/4436-200-0x00000000050A0000-0x00000000050A1000-memory.dmp

memory/4436-202-0x00000000050C0000-0x00000000050C1000-memory.dmp

memory/4436-203-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/4436-204-0x00000000050E0000-0x00000000050E1000-memory.dmp

memory/4436-205-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/4436-206-0x0000000005100000-0x0000000005101000-memory.dmp

memory/4436-207-0x0000000005110000-0x0000000005111000-memory.dmp

memory/4868-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi

MD5 98e537669f4ce0062f230a14bcfcaf35
SHA1 a19344f6a5e59c71f51e86119f5fa52030a92810
SHA256 6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735
SHA512 1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5 a404c8f7c51d4cf95040c901b1769dc7
SHA1 4246b3d1cb71d669c98d294a3cee159d222c5890
SHA256 d7cebecbff60790a89e46d7b2032a8e2a3505766e2aa74cd550b40040ad54de9
SHA512 9ccf7d8a022ef9320b6c25b57f9d287efe2970ad75d4ef989460211091d086f39b32c9ef680a1827ba44fced6f41e04b5002638de88299f51be566546d700cba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B

MD5 992d8e1f4cb555006e3c2ab864b1ccef
SHA1 3a9e4bca8a649c905e157fd784bd5c1f8cef330c
SHA256 3a3e028e92d742fae33275280e7489c80138b90345d0f4b8dddcc52c7d087b74
SHA512 6242ef5faac86501a16c7fd623864ec15735a0d83b7a2304bc327897d4b2f09a4c3275d597e5666afc2533514c1e91b54e931d7c8343286adbd3092014edea75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B

MD5 50677eea14d66ad0da5f8e134f9f7d3b
SHA1 0db34fcda2d57d1847d342ffd8a146b2dba54ae1
SHA256 c2f0b6224eae9813476891e8fb4cfd31d28382e837f83aabc5276858ae0360bd
SHA512 f523ec7c8c0c5fc85c72818fefd6d2083d5ad13465b2387ce466ab3d2252eb366e4ec39f408b8a058be945ccb648eb55a773eba4d9355b79837a08ececbec065

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

MD5 eb66d7bf3512d883269e49fa07d44145
SHA1 ca873ad6d974239198c23d62db4dbb9f7913d57d
SHA256 dfff373d03a1bb9e66c0f281f14c8f1aa19980f70eef7eb0fee11a2e5343d32b
SHA512 84648cbe4a41644644312bed879fef30f56cb97cc8ddc1e1a8311a6ddb2a5729e7e01c9ecae24df954bb6e2a8d10d0cebba7dc68b3ff2581e50967cf785d8b69

memory/5208-216-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6806.tmp

MD5 7468eca4e3b4dbea0711a81ae9e6e3f2
SHA1 4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA256 73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA512 3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

\Windows\Installer\MSI6806.tmp

MD5 7468eca4e3b4dbea0711a81ae9e6e3f2
SHA1 4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA256 73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA512 3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini

MD5 6f362c8987bc470f1dd3e811832f3130
SHA1 f393258131c0ca63b68b597dfd538b38af6b800d
SHA256 6e664cf7d52cb973f8dfedfa7e619655a8eb1c09cda761bb4ab148904799ec61
SHA512 c8ed3058f2487f519098a9dc57c54af7799e7054e1f1d6111ee9dc4d31bdba3db8a8c771549064b0e6b3513fd7afdba9130d34bc9c1dc01c02c61d7d2ff85770

memory/5368-222-0x0000000000000000-mapping.dmp

memory/5480-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\23ul0v3c.1el\google-game.exe

MD5 e0819bdc761ed2345d94f5de33e827d1
SHA1 d24aa0aa0b4ad1eaeb52ff6f34b1b44546d79cd7
SHA256 86d0efba72479a8362119d90e7f18ab26f0b59337999d2821839e4cfd66ccac5
SHA512 7db169654b290bb80785c4531fff1b34e9cecf9f8bcda64814352d0448f2cac102e36ab3fe0d8e225ab588805736dc05fd7349ba2953c154c8270c5b7db1279a

C:\Users\Admin\AppData\Local\Temp\23ul0v3c.1el\google-game.exe

MD5 e0819bdc761ed2345d94f5de33e827d1
SHA1 d24aa0aa0b4ad1eaeb52ff6f34b1b44546d79cd7
SHA256 86d0efba72479a8362119d90e7f18ab26f0b59337999d2821839e4cfd66ccac5
SHA512 7db169654b290bb80785c4531fff1b34e9cecf9f8bcda64814352d0448f2cac102e36ab3fe0d8e225ab588805736dc05fd7349ba2953c154c8270c5b7db1279a

memory/5584-226-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6B15.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

\Windows\Installer\MSI6B15.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

C:\Windows\Installer\MSI6C4E.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

\Windows\Installer\MSI6C4E.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

memory/5948-231-0x0000000000000000-mapping.dmp

\Windows\Installer\MSI6D78.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

C:\Windows\Installer\MSI6D78.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

\Users\Admin\AppData\Local\Temp\install.dll

MD5 dad2b18979ccfd88046305e76614a57b
SHA1 51d95c4947937bc35b99a372ba680a9fc0c563ef
SHA256 b58187d5057b20b86919a26d39a8c164f34b2aae9f180bbc3232820671eb7629
SHA512 c23a9c3f9a0a00db023921a13762fc297dce4928e6b98e75aa53d6e9d2326102f85e3370626fbce595fa7fd7ac7a74c9501f8b0371f68ee2d867eaf4ad8b1003

C:\Users\Admin\AppData\Local\Temp\install.dat

MD5 52ec6450008eac30cde8b5d7dc8a6cb1
SHA1 bed2e54c4abada58b2189afb1b7c8fa219c3b5d6
SHA256 1ce4c1cae9d9ce95a6a628f993b21b864f2212b6e093c25828b1bc5485f7fa7e
SHA512 96b46820a8de3cc32695d1681897576aa859b768257312396fe7e0caa0696a79471faf35b890b8f19b49c2eb89288d238ab622ae7b490b2ef7bd545716df45f3

memory/6060-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\install.dll

MD5 dad2b18979ccfd88046305e76614a57b
SHA1 51d95c4947937bc35b99a372ba680a9fc0c563ef
SHA256 b58187d5057b20b86919a26d39a8c164f34b2aae9f180bbc3232820671eb7629
SHA512 c23a9c3f9a0a00db023921a13762fc297dce4928e6b98e75aa53d6e9d2326102f85e3370626fbce595fa7fd7ac7a74c9501f8b0371f68ee2d867eaf4ad8b1003

C:\Windows\Installer\MSI6E44.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

\Windows\Installer\MSI6E44.tmp

MD5 0981d5c068a9c33f4e8110f81ffbb92e
SHA1 badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256 b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA512 59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

memory/4384-245-0x0000000000000000-mapping.dmp

memory/4448-243-0x00007FF781A44060-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe

MD5 7a4d71198e3e33e6952d2751af486dc2
SHA1 a4048ee0a90c77754209b796d0d6596f65a45d0a
SHA256 c016b2423ee4c18dac8ea0a04a01031d6ddd286a9cbc9b10ec5f90f92b771280
SHA512 6255c40e569b87a56493732be95969db3f286c066c888710c0f3faf634f99e9b7ec1127d074066c1ac40d66734f6cedde06561b3a98d7a996a17e16c563dec40

C:\Users\Admin\AppData\Local\Temp\is-4TKR4.tmp\Setup.exe

MD5 7a4d71198e3e33e6952d2751af486dc2
SHA1 a4048ee0a90c77754209b796d0d6596f65a45d0a
SHA256 c016b2423ee4c18dac8ea0a04a01031d6ddd286a9cbc9b10ec5f90f92b771280
SHA512 6255c40e569b87a56493732be95969db3f286c066c888710c0f3faf634f99e9b7ec1127d074066c1ac40d66734f6cedde06561b3a98d7a996a17e16c563dec40

memory/4724-251-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI700A.tmp

MD5 7468eca4e3b4dbea0711a81ae9e6e3f2
SHA1 4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA256 73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA512 3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

\Windows\Installer\MSI700A.tmp

MD5 7468eca4e3b4dbea0711a81ae9e6e3f2
SHA1 4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA256 73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA512 3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

memory/5948-258-0x000000000448E000-0x000000000458F000-memory.dmp

C:\Windows\Installer\MSI722E.tmp

MD5 43d68e8389e7df33189d1c1a05a19ac8
SHA1 caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA256 85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA512 58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

\Windows\Installer\MSI722E.tmp

MD5 43d68e8389e7df33189d1c1a05a19ac8
SHA1 caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA256 85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA512 58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

memory/5948-262-0x0000000000E60000-0x0000000000EBC000-memory.dmp

memory/5112-280-0x0000000000000000-mapping.dmp

memory/412-282-0x0000023E837D0000-0x0000023E83840000-memory.dmp

memory/5020-281-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1628-279-0x00000206FD930000-0x00000206FD9A0000-memory.dmp

memory/5020-277-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe

MD5 f4e73811f76f65f14f3a699255a776cc
SHA1 bbbe21bf72553fc38b0f06940e9870769bb8b628
SHA256 2739d9341d3de8fafc8e02236a9ddfa993bdbd20ceeed21fd81c61d45ce8d2f4
SHA512 cec2b412f2e16d2cfb4d4df9822ed5d99b21e243d9e65e50bbb4b3c07015d14a5f598fccbb1bb5578180a2c92789805d040a6c1e1b3c75437c5f1fd38c506693

memory/4960-273-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

MD5 6bd341bfca324b52dfa4f696c7978025
SHA1 09029b634ff31a7e2cc903f2e1580bc6f554558d
SHA256 faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6
SHA512 d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe

MD5 6bd341bfca324b52dfa4f696c7978025
SHA1 09029b634ff31a7e2cc903f2e1580bc6f554558d
SHA256 faae49fcc25f6c53f5b94d7d878b4babffcc2fbcb79f4f3183c68b465b1c33c6
SHA512 d848b7ddd7b10be177c805f4ec9d8976ee2de9bf154512e1367c2d8c448ecdee505e53542e7ee84de3d4850cde7a2f3b0ae5890f1d9f9375ad47c1f328a3e216

memory/1108-272-0x000001C3CD930000-0x000001C3CD9A0000-memory.dmp

memory/5284-268-0x0000000000000000-mapping.dmp

memory/5236-266-0x0000000000000000-mapping.dmp

memory/1108-265-0x000001C3CD5A0000-0x000001C3CD5EB000-memory.dmp

memory/2408-260-0x0000014B19780000-0x0000014B197F0000-memory.dmp

memory/5112-284-0x0000000000400000-0x000000000042C000-memory.dmp

memory/5188-291-0x0000000000010000-0x0000000000011000-memory.dmp

memory/5304-297-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/5540-298-0x0000000000000000-mapping.dmp

memory/1412-293-0x0000026D4D870000-0x0000026D4D8E0000-memory.dmp

memory/1944-303-0x000002222E140000-0x000002222E1B0000-memory.dmp

memory/2760-302-0x0000024F94360000-0x0000024F943D0000-memory.dmp

memory/5236-299-0x00000000011D0000-0x000000000182F000-memory.dmp

memory/5388-292-0x0000000000000000-mapping.dmp

memory/5304-286-0x0000000000000000-mapping.dmp

memory/5188-283-0x0000000000000000-mapping.dmp

memory/5388-308-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5188-310-0x0000000000450000-0x000000000046D000-memory.dmp

memory/5540-311-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1240-309-0x00000216E8060000-0x00000216E80D0000-memory.dmp

memory/5188-315-0x0000000000790000-0x0000000000792000-memory.dmp

memory/1332-316-0x000002186E600000-0x000002186E670000-memory.dmp

memory/4448-321-0x0000022220D80000-0x0000022220DF0000-memory.dmp

memory/2672-322-0x000001A61FAD0000-0x000001A61FB40000-memory.dmp

memory/5612-325-0x0000000000000000-mapping.dmp

memory/4664-326-0x0000000000000000-mapping.dmp

memory/5016-327-0x0000000000000000-mapping.dmp

memory/5220-328-0x0000000000000000-mapping.dmp

memory/5316-329-0x0000000000000000-mapping.dmp

memory/5316-330-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/5480-332-0x0000000000000000-mapping.dmp

memory/5480-333-0x0000000000010000-0x0000000000011000-memory.dmp

memory/5952-336-0x0000000000000000-mapping.dmp

memory/5480-335-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/5316-337-0x0000000002640000-0x000000000266D000-memory.dmp

memory/5952-338-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/5480-340-0x0000000000600000-0x0000000000610000-memory.dmp

memory/5480-341-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

memory/5952-343-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/5480-344-0x0000000004820000-0x0000000004821000-memory.dmp

memory/5480-342-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/5952-346-0x0000000001350000-0x000000000138A000-memory.dmp

memory/5460-345-0x0000000000000000-mapping.dmp

memory/5952-347-0x00000000013A0000-0x00000000013A1000-memory.dmp

memory/5048-349-0x0000000000000000-mapping.dmp

memory/2808-350-0x0000000000000000-mapping.dmp

memory/5076-351-0x0000000000000000-mapping.dmp

memory/5900-352-0x0000000000000000-mapping.dmp

memory/3904-353-0x0000000000000000-mapping.dmp

memory/4780-354-0x0000000000000000-mapping.dmp

memory/6148-355-0x0000000000000000-mapping.dmp

memory/7872-356-0x0000000000000000-mapping.dmp

memory/7972-357-0x0000000000000000-mapping.dmp

memory/4116-358-0x0000000000000000-mapping.dmp

memory/6240-359-0x0000000000000000-mapping.dmp

memory/6668-360-0x0000000000000000-mapping.dmp

memory/6776-361-0x0000000000000000-mapping.dmp

memory/2732-362-0x0000000000000000-mapping.dmp

memory/7284-363-0x0000000000000000-mapping.dmp

memory/7328-364-0x0000000000000000-mapping.dmp

memory/7448-365-0x0000000000000000-mapping.dmp

memory/5496-366-0x0000000000000000-mapping.dmp

memory/7228-367-0x0000000000000000-mapping.dmp

memory/7312-368-0x0000000000000000-mapping.dmp

memory/7552-369-0x0000000000000000-mapping.dmp