bf841c68ef97e96b3587e366688a18914e2ae6ac1a3c34f05edfc6ba3ba02522

Analysis

max time kernel
150s
max time network
157s
platform
windows10_x64
resource
win10v20210410
submitted
07-06-2021 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IObit.Malware.Fighter.Pro-8.7.0.827.exe
Size

63.8MB
MD5

e5a73be912fec3b5a84dbb5c4d9b388b
SHA1

089b003554854e12fefb1efe9cc9aa2d896f25dd
SHA256

bf841c68ef97e96b3587e366688a18914e2ae6ac1a3c34f05edfc6ba3ba02522
SHA512

d3ce09ca5dfda07fc801bc0c73c0dfa4f04343f09a1c6aca9e7f04fe4b6b17f68d877cd6c07fffbc452a47682bad49cb209406788c2234804808c6178bbb6f12

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

packeg.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter	packeg.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter\ = "{0BB81440-5F42-4480-A5F7-770A6F439FC8}"	packeg.tmp

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Downloads MZ/PE file

Executes dropped EXE 64 IoCs

Processes:

packeg.exepackeg.tmpBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeIMF_DownConfig.exeRansomware.exeBlueBirdInit.exeBlueBirdInit.exePluginInstall.exePluginInstall.exeBlueBirdInit.exeBlueBirdInit.exeIMFsrv.exeBlueBirdInit.exeBrowserProtect.exeIMFSrvWsc.exeLocalLang.exeBlueBirdInit.exeUninstallPromote.exeBlueBirdInit.exeIMF.exeBlueBirdInit.exeIMFsrv.exeIMFSrvWsc.exeIMFTips.exeIMFCore.exeIMFFeature.exeIMFFeature.exeIObitLiveUpdate.exeIMFSrvWsc.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeAutoUpdate.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeSPUpdate.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeIMFSrvWsc.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exe

pid	process
3920	packeg.exe
3156	packeg.tmp
3928	BlueBirdInit.exe
1084	BlueBirdInit.exe
3980	BlueBirdInit.exe
2492	IMF_DownConfig.exe
2584	Ransomware.exe
2196	BlueBirdInit.exe
3392	BlueBirdInit.exe
2268	PluginInstall.exe
2312	PluginInstall.exe
3392	BlueBirdInit.exe
2420	BlueBirdInit.exe
2596	IMFsrv.exe
1116	BlueBirdInit.exe
2256	BrowserProtect.exe
2752	IMFSrvWsc.exe
2268	LocalLang.exe
2784	BlueBirdInit.exe
3296	UninstallPromote.exe
1676	BlueBirdInit.exe
3112	IMF.exe
2156	BlueBirdInit.exe
3156	IMFsrv.exe
428	IMFSrvWsc.exe
3408	IMFTips.exe
2404	IMFCore.exe
4044	IMFFeature.exe
2780	IMFFeature.exe
1004	IObitLiveUpdate.exe
216	IMFSrvWsc.exe
216	BlueBirdInit.exe
3044	BlueBirdInit.exe
1872	BlueBirdInit.exe
3092	BlueBirdInit.exe
4044	AutoUpdate.exe
3464	BlueBirdInit.exe
2780	BlueBirdInit.exe
2232	BlueBirdInit.exe
3464	BlueBirdInit.exe
3044	BlueBirdInit.exe
2948	SPUpdate.exe
4112	BlueBirdInit.exe
4144	BlueBirdInit.exe
4168	BlueBirdInit.exe
4192	BlueBirdInit.exe
4216	BlueBirdInit.exe
4252	BlueBirdInit.exe
4276	BlueBirdInit.exe
4300	BlueBirdInit.exe
4328	BlueBirdInit.exe
4352	BlueBirdInit.exe
4376	BlueBirdInit.exe
4400	BlueBirdInit.exe
4424	BlueBirdInit.exe
4456	BlueBirdInit.exe
4464	IMFSrvWsc.exe
4512	BlueBirdInit.exe
4540	BlueBirdInit.exe
4564	BlueBirdInit.exe
4588	BlueBirdInit.exe
4608	BlueBirdInit.exe
4628	BlueBirdInit.exe
4648	BlueBirdInit.exe

Loads dropped DLL 64 IoCs

Processes:

IObit.Malware.Fighter.Pro-8.7.0.827.exeIMF_DownConfig.exeRansomware.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeBlueBirdInit.exeIMFsrv.exeBrowserProtect.exeUninstallPromote.exeIMF.exe

pid	process
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
2492	IMF_DownConfig.exe
2492	IMF_DownConfig.exe
2584	Ransomware.exe
2584	Ransomware.exe
2584	Ransomware.exe
2584	Ransomware.exe
2584	Ransomware.exe
3408	regsvr32.exe
3408	regsvr32.exe
3408	regsvr32.exe
3408	regsvr32.exe
2600	regsvr32.exe
2600	regsvr32.exe
2600	regsvr32.exe
2328	regsvr32.exe
2176	regsvr32.exe
3392	BlueBirdInit.exe
3392	BlueBirdInit.exe
3392	BlueBirdInit.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
3296	UninstallPromote.exe
3296	UninstallPromote.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\windows\CurrentVersion\Run	IMF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IObit Malware Fighter = "\"C:\\Program Files (x86)\\IObit\\Malware Fighter\\IMF.exe\" /autostart"	IMF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 64 IoCs

Processes:

Ransomware.exeUninstallPromote.exeIMF.exepackeg.tmpBlueBirdInit.exeAutoUpdate.exeIMFTips.exebdpatchdownload.exeIObitLiveUpdate.exeIMFsrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Ransomware.log	Ransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\IObit\IObit Malware Fighter\License.ini	UninstallPromote.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core106.def.dat	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\html\static\js\vendor\is-29I1B.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\is-8NPF3.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\is-SRAV2.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\html\static\img\features\is-424GS.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Language\is-8F6E1.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win10_amd64\IMFCameraProtect.sys	BlueBirdInit.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\IMF.log	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Action Center\itopover.png	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Language\is-892F2.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Language\is-1JEVS.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\nDrivers\win10_x86\is-561G6.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core158.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\nDrivers\win7_ia64\is-AK3E3.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\images\is-2O80J.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win7_x86\ImfHpFileFilter.sys	BlueBirdInit.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\log\antilog\IMFTips.log	IMFTips.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\Update.ini	AutoUpdate.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core114.def.dat	IMF.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core151.def.dat	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\bdpatchdownload.log	bdpatchdownload.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Language\is-NLMQS.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Language\is-P5AGU.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win10_ia64\imfpffilter.sys	BlueBirdInit.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\is-R3A9I.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win10_amd64\ImfHpFileFilter.sys	BlueBirdInit.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Action Center\itopmini.png	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\bd\imfBdPatch.exe	bdpatchdownload.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Language\History\is-BPRIL.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\html\static\img\button-background\is-UTE5D.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\is-TO06N.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\TaskbarPin\is-1B4KH.tmp	packeg.tmp
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Downloader.log	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\LatestNews\NewsData_v2.dat.tmp	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\nDrivers\win10_ia64\is-478SF.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\locales\is-LO263.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\locales\is-K4LI4.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win7_amd64\ImfHpFileFilter.sys	BlueBirdInit.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\SPSpecialUrl.db	IObitLiveUpdate.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core122.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Language\is-RQEOG.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Adblock\locales\is-PISL3.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win10_x86\ImfHpRegFilter.sys	BlueBirdInit.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\log\antilog\IMFsrv.log	IMFsrv.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core101.def.dat	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Action Center\ISRicon.png	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\is-G3VO4.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\is-P01LQ.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\wnet_x86\imfpffilter.sys	BlueBirdInit.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core119.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core141.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core166.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Language\is-RH616.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\nDrivers\win7_ia64\is-0SU5A.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Drivers\win7_x86\ImfRealScanner.sys	BlueBirdInit.exe
File opened for modification	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core149.def.dat	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core154.def	IMF.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\nDrivers\win7_amd64\is-1SHT6.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\images\is-0QAMI.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\is-SINSQ.tmp	packeg.tmp
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\Temp\itopnormal.png	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Malware Fighter\Update\db\core113.def	IMF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3464 taskkill.exe

pid	process
3464	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

PluginInstall.exePluginInstall.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	PluginInstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	PluginInstall.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

IMFsrv.exeIMFsrv.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	IMFsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	IMFsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IMFsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	IMFsrv.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exepackeg.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\Clsid\ = "{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\ = "IObit Surfing Protection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\Malware Fighter\\IMFShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\ = "IObit Surfing Protection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ProgID\ = "ASCPlugin_Protection.TASCBrowserProtection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\ProgID\ = "BlueBirdShellExt.BlueBirdShell.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\TypeLib\ = "{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ = "IBlueBirdShell"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\Malware Fighter\\IMFShellExt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IObit Malware Fighter\ = "{0BB81440-5F42-4480-A5F7-770A6F439FC8}"	packeg.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\ = "BlueBirdShellExt 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IObit Malware Fighter	packeg.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\ = "BlueBirdShell Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IObit Malware Fighter	packeg.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell\ = "BlueBirdShell Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\TypeLib\ = "{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ = "IObit Surfing Protection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter	packeg.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ProgID\ = "ASCPlugin_Protection.TASCBrowserProtection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB81440-5F42-4480-A5F7-770A6F439FC8}\VersionIndependentProgID\ = "BlueBirdShellExt.BlueBirdShell"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32\ = "C:\\PROGRA~2\\IObit\\MALWAR~1\\SURFIN~1\\BROWER~1\\ASCPLU~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell\CLSID\ = "{0BB81440-5F42-4480-A5F7-770A6F439FC8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell\CurVer\ = "BlueBirdShellExt.BlueBirdShell.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IObit Malware Fighter\ = "{0BB81440-5F42-4480-A5F7-770A6F439FC8}"	packeg.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell.1\CLSID\ = "{0BB81440-5F42-4480-A5F7-770A6F439FC8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell.1\ = "BlueBirdShell Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ = "IBlueBirdShell"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObit Malware Fighter	packeg.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ = "IObit Surfing Protection"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BlueBirdShellExt.BlueBirdShell.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1BD1040-0103-49C9-805E-FF8B1B7F7EC0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AutoUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	AutoUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BlueBirdInit.exeBlueBirdInit.exeBlueBirdInit.exeRansomware.exeBlueBirdInit.exeBlueBirdInit.exePluginInstall.exeregsvr32.exePluginInstall.exeregsvr32.exeBlueBirdInit.exeBlueBirdInit.exeIMFsrv.exeBlueBirdInit.exeBrowserProtect.exeBlueBirdInit.exeUninstallPromote.exe

pid	process
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
3928	BlueBirdInit.exe
1084	BlueBirdInit.exe
1084	BlueBirdInit.exe
3980	BlueBirdInit.exe
3980	BlueBirdInit.exe
2584	Ransomware.exe
2584	Ransomware.exe
2196	BlueBirdInit.exe
2196	BlueBirdInit.exe
3392	BlueBirdInit.exe
3392	BlueBirdInit.exe
2268	PluginInstall.exe
2268	PluginInstall.exe
3408	regsvr32.exe
3408	regsvr32.exe
2268	PluginInstall.exe
2268	PluginInstall.exe
2312	PluginInstall.exe
2312	PluginInstall.exe
2600	regsvr32.exe
2600	regsvr32.exe
2312	PluginInstall.exe
2312	PluginInstall.exe
3392	BlueBirdInit.exe
3392	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2420	BlueBirdInit.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
2596	IMFsrv.exe
1116	BlueBirdInit.exe
1116	BlueBirdInit.exe
2256	BrowserProtect.exe
2256	BrowserProtect.exe
2784	BlueBirdInit.exe
2784	BlueBirdInit.exe
3296	UninstallPromote.exe
3296	UninstallPromote.exe
3296	UninstallPromote.exe
3296	UninstallPromote.exe

Suspicious behavior: LoadsDriver 11 IoCs

Processes:

pid process

628
628
628
628
628
628
628
628
628
628
628

pid	process
628
628
628
628
628
628
628
628
628
628
628

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

taskkill.exeBlueBirdInit.exeIMFsrv.exeIObit.Malware.Fighter.Pro-8.7.0.827.exeIMFsrv.exeIMF.exeIMFBigUpgrade1.exe

description	pid	process
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeDebugPrivilege	3928	BlueBirdInit.exe
Token: SeCreateGlobalPrivilege	2596	IMFsrv.exe
Token: SeRestorePrivilege	2596	IMFsrv.exe
Token: SeBackupPrivilege	2596	IMFsrv.exe
Token: SeDebugPrivilege	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
Token: SeDebugPrivilege	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
Token: SeDebugPrivilege	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
Token: SeDebugPrivilege	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
Token: SeCreateGlobalPrivilege	3156	IMFsrv.exe
Token: SeRestorePrivilege	3156	IMFsrv.exe
Token: SeBackupPrivilege	3156	IMFsrv.exe
Token: SeRestorePrivilege	3112	IMF.exe
Token: SeBackupPrivilege	3112	IMF.exe
Token: SeRestorePrivilege	3112	IMF.exe
Token: SeBackupPrivilege	3112	IMF.exe
Token: SeDebugPrivilege	3112	IMF.exe
Token: 33	3112	IMF.exe
Token: SeIncBasePriorityPrivilege	3112	IMF.exe
Token: SeBackupPrivilege	4368	IMFBigUpgrade1.exe
Token: SeBackupPrivilege	4368	IMFBigUpgrade1.exe
Token: SeSecurityPrivilege	4368	IMFBigUpgrade1.exe
Token: SeSecurityPrivilege	4368	IMFBigUpgrade1.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

packeg.tmpIObit.Malware.Fighter.Pro-8.7.0.827.exeIMF.exeAutoUpdate.exeIMFBigUpgrade1.exe

pid	process
3156	packeg.tmp
4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
4044	AutoUpdate.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe

Suspicious use of SendNotifyMessage 50 IoCs

Processes:

IMF.exeAutoUpdate.exeIMFBigUpgrade1.exe

pid	process
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
4044	AutoUpdate.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
4044	AutoUpdate.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
4368	IMFBigUpgrade1.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe
3112	IMF.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

UninstallPromote.exe

pid process

3296 UninstallPromote.exe
3296 UninstallPromote.exe

pid	process
3296	UninstallPromote.exe
3296	UninstallPromote.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IObit.Malware.Fighter.Pro-8.7.0.827.exepackeg.exepackeg.tmpPluginInstall.exePluginInstall.exeBlueBirdInit.exeregsvr32.exe

description	pid	process	target process
PID 4044 wrote to memory of 3920	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe	packeg.exe
PID 4044 wrote to memory of 3920	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe	packeg.exe
PID 4044 wrote to memory of 3920	4044	IObit.Malware.Fighter.Pro-8.7.0.827.exe	packeg.exe
PID 3920 wrote to memory of 3156	3920	packeg.exe	packeg.tmp
PID 3920 wrote to memory of 3156	3920	packeg.exe	packeg.tmp
PID 3920 wrote to memory of 3156	3920	packeg.exe	packeg.tmp
PID 3156 wrote to memory of 3464	3156	packeg.tmp	taskkill.exe
PID 3156 wrote to memory of 3464	3156	packeg.tmp	taskkill.exe
PID 3156 wrote to memory of 3464	3156	packeg.tmp	taskkill.exe
PID 3156 wrote to memory of 3928	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3928	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3928	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1084	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1084	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1084	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3980	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3980	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3980	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2492	3156	packeg.tmp	IMF_DownConfig.exe
PID 3156 wrote to memory of 2492	3156	packeg.tmp	IMF_DownConfig.exe
PID 3156 wrote to memory of 2492	3156	packeg.tmp	IMF_DownConfig.exe
PID 3156 wrote to memory of 2584	3156	packeg.tmp	Ransomware.exe
PID 3156 wrote to memory of 2584	3156	packeg.tmp	Ransomware.exe
PID 3156 wrote to memory of 2584	3156	packeg.tmp	Ransomware.exe
PID 3156 wrote to memory of 2196	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2196	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2196	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2268	3156	packeg.tmp	PluginInstall.exe
PID 3156 wrote to memory of 2268	3156	packeg.tmp	PluginInstall.exe
PID 3156 wrote to memory of 2268	3156	packeg.tmp	PluginInstall.exe
PID 2268 wrote to memory of 3408	2268	PluginInstall.exe	regsvr32.exe
PID 2268 wrote to memory of 3408	2268	PluginInstall.exe	regsvr32.exe
PID 2268 wrote to memory of 3408	2268	PluginInstall.exe	regsvr32.exe
PID 2268 wrote to memory of 1764	2268	PluginInstall.exe	regsvr32.exe
PID 2268 wrote to memory of 1764	2268	PluginInstall.exe	regsvr32.exe
PID 2268 wrote to memory of 1764	2268	PluginInstall.exe	regsvr32.exe
PID 3156 wrote to memory of 2312	3156	packeg.tmp	PluginInstall.exe
PID 3156 wrote to memory of 2312	3156	packeg.tmp	PluginInstall.exe
PID 3156 wrote to memory of 2312	3156	packeg.tmp	PluginInstall.exe
PID 2312 wrote to memory of 2600	2312	PluginInstall.exe	regsvr32.exe
PID 2312 wrote to memory of 2600	2312	PluginInstall.exe	regsvr32.exe
PID 2312 wrote to memory of 2600	2312	PluginInstall.exe	regsvr32.exe
PID 2312 wrote to memory of 2784	2312	PluginInstall.exe	BlueBirdInit.exe
PID 2312 wrote to memory of 2784	2312	PluginInstall.exe	BlueBirdInit.exe
PID 2312 wrote to memory of 2784	2312	PluginInstall.exe	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 3392	3156	packeg.tmp	BlueBirdInit.exe
PID 3392 wrote to memory of 2328	3392	BlueBirdInit.exe	regsvr32.exe
PID 3392 wrote to memory of 2328	3392	BlueBirdInit.exe	regsvr32.exe
PID 3392 wrote to memory of 2328	3392	BlueBirdInit.exe	regsvr32.exe
PID 2328 wrote to memory of 2176	2328	regsvr32.exe	regsvr32.exe
PID 2328 wrote to memory of 2176	2328	regsvr32.exe	regsvr32.exe
PID 3156 wrote to memory of 2420	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2420	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2420	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1116	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1116	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 1116	3156	packeg.tmp	BlueBirdInit.exe
PID 3156 wrote to memory of 2256	3156	packeg.tmp	BrowserProtect.exe
PID 3156 wrote to memory of 2256	3156	packeg.tmp	BrowserProtect.exe

C:\Users\Admin\AppData\Local\Temp\IObit.Malware.Fighter.Pro-8.7.0.827.exe
"C:\Users\Admin\AppData\Local\Temp\IObit.Malware.Fighter.Pro-8.7.0.827.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\TEMP\packeg.exe
"C:\Users\Admin\AppData\Local\Temp\TEMP\packeg.exe" /sp- /verysilent /Installer /DIR="C:\Program Files (x86)\IObit\Malware Fighter" /TASKS="desktopicon,startmenuicon"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\is-Q85TS.tmp\packeg.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q85TS.tmp\packeg.tmp" /SL5="$300C8,64867561,137216,C:\Users\Admin\AppData\Local\Temp\TEMP\packeg.exe" /sp- /verysilent /Installer /DIR="C:\Program Files (x86)\IObit\Malware Fighter" /TASKS="desktopicon,startmenuicon"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "BlueBirdInit.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /kill /updagrade
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /installAC
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /i /f
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Program Files (x86)\IObit\Malware Fighter\IMF_DownConfig.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMF_DownConfig.exe" "C:\Program Files (x86)\IObit\Malware Fighter"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492

C:\Program Files (x86)\IObit\Malware Fighter\Ransomware.exe
"C:\Program Files (x86)\IObit\Malware Fighter\Ransomware.exe" /init
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /init
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /copyConfig
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe
"C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe" /CleanOld
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\\BrowerProtect\ASCPlugin_Protection.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3408

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\\Adblock\Adblock.dll"
5⤵
PID:1764

C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe
"C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe" /Install
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\\BrowerProtect\ASCPlugin_Protection.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\\Adblock\Adblock.dll"
5⤵
PID:2784

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /initdriver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\IObit\Malware Fighter\IMFShellExt.dll"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\Malware Fighter\IMFShellExt.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:2176

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /installSrv
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /fix_jxjc
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files (x86)\IObit\Malware Fighter\BrowserProtect.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BrowserProtect.exe" /TurnOn
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Program Files (x86)\IObit\Malware Fighter\LocalLang.exe
"C:\Program Files (x86)\IObit\Malware Fighter\LocalLang.exe"
4⤵
- Executes dropped EXE
PID:2268

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /clearDrivertmp
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Program Files (x86)\IObit\Malware Fighter\UninstallPromote.exe
"C:\Program Files (x86)\IObit\Malware Fighter\UninstallPromote.exe" /install imf8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /combinslog "C:\Users\Admin\AppData\Local\Temp\Setup Log 2021-06-07 #001.txt"
4⤵
- Executes dropped EXE
PID:1676

C:\Program Files (x86)\IObit\Malware Fighter\IMFsrv.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFsrv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /OutFlag 0
2⤵
- Executes dropped EXE
PID:2752

C:\Program Files (x86)\IObit\Malware Fighter\IMF.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMF.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /all
2⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\IObit\Malware Fighter\IMFTips.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFTips.exe" /starttips
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3408

C:\Program Files (x86)\IObit\Malware Fighter\IMFCore.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFCore.exe" /startImfcore /usecache
2⤵
- Executes dropped EXE
PID:2404

C:\Program Files (x86)\IObit\Malware Fighter\IMFFeature.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFFeature.exe" /u http://stats.iobit.com/active_month.php /a imf8 /p iobit /v 8.7.0.827 /t 1 /d 7
2⤵
- Executes dropped EXE
PID:4044

C:\Program Files (x86)\IObit\Malware Fighter\IMFFeature.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFFeature.exe" /imf /user /dayactive
2⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core104.def
2⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core106.def
2⤵
- Executes dropped EXE
PID:1872

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core107.def
2⤵
- Executes dropped EXE
PID:3092

C:\Program Files (x86)\IObit\Malware Fighter\AutoUpdate.exe
"C:\Program Files (x86)\IObit\Malware Fighter\AutoUpdate.exe" /check
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044

C:\Program Files (x86)\IObit\Malware Fighter\IMFBigUpgrade1.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFBigUpgrade1.exe" /run
3⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\IMF8_BigUpgrade\IMFBigUpgrade1.exe
"C:\Users\Admin\AppData\Local\Temp\IMF8_BigUpgrade\IMFBigUpgrade1.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core108.def
2⤵
PID:3464

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core109.def
2⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core110.def
2⤵
- Executes dropped EXE
PID:2232

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core111.def
2⤵
- Executes dropped EXE
PID:3464

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core112.def
2⤵
- Executes dropped EXE
PID:3044

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core113.def
2⤵
- Executes dropped EXE
PID:4112

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core114.def
2⤵
- Executes dropped EXE
PID:4144

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core115.def
2⤵
- Executes dropped EXE
PID:4168

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core116.def
2⤵
- Executes dropped EXE
PID:4192

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core117.def
2⤵
- Executes dropped EXE
PID:4216

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core118.def
2⤵
- Executes dropped EXE
PID:4252

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core119.def
2⤵
- Executes dropped EXE
PID:4276

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core120.def
2⤵
- Executes dropped EXE
PID:4300

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core121.def
2⤵
- Executes dropped EXE
PID:4328

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core122.def
2⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core123.def
2⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core124.def
2⤵
- Executes dropped EXE
PID:4400

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core125.def
2⤵
- Executes dropped EXE
PID:4424

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /queryWD
2⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core126.def
2⤵
- Executes dropped EXE
PID:4456

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core127.def
2⤵
- Executes dropped EXE
PID:4512

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core128.def
2⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core129.def
2⤵
- Executes dropped EXE
PID:4564

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core130.def
2⤵
- Executes dropped EXE
PID:4588

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core131.def
2⤵
- Executes dropped EXE
PID:4608

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core140.def
2⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core141.def
2⤵
- Executes dropped EXE
PID:4648

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core142.def
2⤵
PID:4668

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core143.def
2⤵
PID:4688

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core144.def
2⤵
PID:4716

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core145.def
2⤵
PID:4752

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core146.def
2⤵
PID:4788

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core147.def
2⤵
PID:4812

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core148.def
2⤵
PID:4832

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core149.def
2⤵
PID:4852

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core150.def
2⤵
PID:4876

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core151.def
2⤵
PID:4896

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core152.def
2⤵
PID:4920

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core153.def
2⤵
PID:4940

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core154.def
2⤵
PID:4960

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core155.def
2⤵
PID:4980

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core156.def
2⤵
PID:5000

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core157.def
2⤵
PID:5020

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core158.def
2⤵
PID:5040

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core159.def
2⤵
PID:5060

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core160.def
2⤵
PID:5080

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core161.def
2⤵
PID:5100

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core162.def
2⤵
PID:2292

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core163.def
2⤵
PID:3984

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core164.def
2⤵
PID:1872

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core165.def
2⤵
PID:2572

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core166.def
2⤵
PID:1616

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core201.def
2⤵
PID:4140

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core202.def
2⤵
PID:4152

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core203.def
2⤵
PID:4144

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core204.def
2⤵
PID:4172

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core205.def
2⤵
PID:4204

C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
"C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe" /checkaubk /udb /dfn core206.def
2⤵
PID:4244

C:\Program Files (x86)\IObit\Malware Fighter\bdpatchdownload.exe
"C:\Program Files (x86)\IObit\Malware Fighter\bdpatchdownload.exe" /patchDownload
2⤵
- Drops file in Program Files directory
PID:4604

C:\Program Files (x86)\IObit\Malware Fighter\IMFsrv.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFsrv.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /OutFlag 0
2⤵
- Executes dropped EXE
PID:428

C:\Program Files (x86)\IObit\Malware Fighter\IObitLiveUpdate.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IObitLiveUpdate.exe" /srvupt
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1004

C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\SPUpdate.exe
"C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\SPUpdate.exe" /SvrRun
3⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /OutFlag 2
2⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /OutFlag 0
2⤵
PID:3044

C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe
"C:\Program Files (x86)\IObit\Malware Fighter\IMFSrvWsc.exe" /OutFlag 0
2⤵
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IObit\Malware Fighter\7z.dll
MD5
87ea820099d43d2b4d4faee5938539d0

SHA1
53980bbe418c1c96d5b7043797e4e46303796506

SHA256
32d4050ee6b5404ad86f3ea9fc1f8b82d360a5da551ad49b91d3db85c8fdcbd7

SHA512
7e34c100f313c32e597f424984bb35e70a551943076a463b0b3e56e79c431ba48a321959cdea14cb9df86fc8621365bf8c56f0780f9cbfd4aecd267daec5f35f

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\AutoUpdate.exe
MD5
29568a0515582986171cbd9e0cd79f92

SHA1
dc6faff0ad5e5484ee17e0977ad02758f6c55c9b

SHA256
eb031d669bd494c3d29562394044bdccd1073359b1c035fdc9424daa1851d383

SHA512
bdc28ffddbc3dfd3af03ae47e410a9cd85826bc6a10a10157cf556b633109cc3f527d5887c6e0883e95e5248395d460abb1503f185f33287d23b6f7ba06f65c6

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\BlueBirdInit.exe
MD5
20a0caf62e48653f8dbb7e22c19532e6

SHA1
97ca06170c3b1bf7b234eb64806fad107eda181c

SHA256
d2561750ca3f01efddf1542627758af49774fff644e346fd4745c94e8db2a22f

SHA512
3c14bff37dc660003d6748f9e866b0da6045c7f2f7acc8f0e03f14bb05ae2be1fdc72ce281e45651f4b4a3c089bcff2d870937adbaf56993ca63f6bbf33c8e3d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Database\ARDatabase.db
MD5
f2340eecf2b1d8bc3a3b5ce82203b29f

SHA1
85699132fcc2b1741fed9599e17b268a4ee3d363

SHA256
3487d0bf0da9f51c977848a97ec7f32e276941ee028de698ef576efdd4dfe0e2

SHA512
a79a7ee852f99b6746dd68f940073691f2eae12d743eaebe0278a08b20d18e2380043249a01c9ed7a3cc971a37aee805a082ee251e4ebd4b52e6b60524e4f4c0

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\DetectionEx.ini
MD5
e882a6872c165d46d1947191aa3f5965

SHA1
e85366dfe177accc6a5bb605f95a50d952aa2572

SHA256
877b0ddbee9ab50092d4a18fad698efc00d58445ed9d9e0a5d561d502aa075dc

SHA512
600eaf8471f34409238ec3f0ab534597f949c98afbb27f8b7b6511c8f7fc4577aaa9153108b68127633626a9b37bce0326171a5ed427f9eb69d068ac7073e8c2

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\IMF.exe
MD5
f593f31725671cc66a77566ed9d858ae

SHA1
87595a64a0946de2e6eeef0be60d4e994413bb37

SHA256
b2a05398abcb01a288b6280afe0cdbdb2de3ec98cb158971e244a31f178e47cf

SHA512
cd148ccab8a8092dff555f67a8d6faf36be82c09a3bba817a7f3cdcb5d79c9007a084dfe7a786dc556357ff29f5b59b5ba347f193bee9f34672619d20fb34a3c

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\IMFCore.exe
MD5
08785e623ecdc9b60b972e6e9ef70842

SHA1
ab3bd7fab5e2812cf36e263632635adbec8afdd4

SHA256
46120bd12e1392f9f7a9b3f71c97238bbb3e486b3ec600379e41d44f992aa517

SHA512
5429cf5cf4e47f6c55723a67c286bf800d339de906a07227f47314310aaea3f0a6a91a827391f3bca921eae799c71a9530889d926fd60822640f5dfdac3137a8

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\IMFRegister.exe
MD5
54705a6664c902beaabf4fc077703e67

SHA1
3ca8090c361bc6ae48ce136a00a6a267bae12414

SHA256
bcd745c8d060ed2a147ef499a8c8033f870d9acf8ed6adb0c6877fd1c0478809

SHA512
55128c57f3e19ad4a98605cba319d608c5d65ba8104e6770f25214656562f2dae1d1f2b0ef5d4232416988c3f89781ec55bb445d2068e3e1c2117dd586c5d584

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\IMF_DownConfig.exe
MD5
35d72fbf9e77180fb33bbca78086807e

SHA1
e6a61f35a26d298ce8300876111f39afdbe9ba57

SHA256
f777ae7b0ee53e6d5120ab6a28fb199e8031a8fbc9e65c1505f0c4ec23ebcbd6

SHA512
7ab99864d83c27e6a814247184893b055c1bc8d1be262d01568a94a23344846d525b224707761dea7b379368c362b89e49f9df8c76c4d8f03aaa2769dbe0246c

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\IMFsrv.exe
MD5
56ee4c8fd3676a91748f9fe10ce12a1b

SHA1
bd5c975d61aaf498549649dc203504c47565a977

SHA256
9ab43c49c5578bb450977f1f93dec270ef8de3755ecdb0660a45dbd14fdf4b2c

SHA512
2187216919067bd04f63f79987297c293d3b47a99afdef3845360f2c2a715f20eb062c4416e2dee80b3b1b5682da8a45f3a836e352d4e0d1e9e18df33e0484bc

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\OFCommon.dll
MD5
e34949f7c2ce71b22945536e11a29307

SHA1
ed2ec06b4a002b5a2d07233873a81b7a7725a7b5

SHA256
aef32455624921fe6869a777e7d726fe70ea3254f52dc04eb5bc6f75956c7d8b

SHA512
4cde5a0cc34bd7314f1f9341f398681931303372f0972044bba2ccaf6dc5d3bce49ae2de0fc5487e2a143c344e56339ef19137c3db3e3eb4d61ec07f6a3d71bd

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Ransomware.exe
MD5
c542726c2f199c764debf3cff8e86823

SHA1
02217c0131db6eb02a383ef6cfc4f82727446c5f

SHA256
845d63f2bb2e5f7bade0743d116f89c1ba510360087cae5e49a0377f6be356e0

SHA512
331ba3a3fc870a122471fa8381e3b96af40fca21cef68939b8d345d1be9ea4c21e3252917981bfe00065e8b14c8dba0d3fe81ed380af3b1aa94be7cb4b88d754

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Ransomware.exe
MD5
c542726c2f199c764debf3cff8e86823

SHA1
02217c0131db6eb02a383ef6cfc4f82727446c5f

SHA256
845d63f2bb2e5f7bade0743d116f89c1ba510360087cae5e49a0377f6be356e0

SHA512
331ba3a3fc870a122471fa8381e3b96af40fca21cef68939b8d345d1be9ea4c21e3252917981bfe00065e8b14c8dba0d3fe81ed380af3b1aa94be7cb4b88d754

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
MD5
227c11cc424112e9f8de6c6d07e9df9a

SHA1
83d98dcaa2e934bddcf51af7e4ffa9a42ea5d598

SHA256
df5ff7bfd49eaa7c04f8de1c44c7191d45ad44124b17768f4ba6718754344d14

SHA512
16eec225a90893839a93eb08da9d768c81679a14410d44eaa8d2d16567da0e9deebe4185ddbd01f715e540a2d41e812e187691c50484dfe45d1f985b0fd6603a

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCUrlScanner.dll
MD5
0ea040ebeb8bf91166963be085921923

SHA1
933462e1cc1f957e61cc3603bb2225016c564023

SHA256
8837f05989ab0fde46f78fb8e07b3fe64c75a8638a70c616442df059a3f2f391

SHA512
9d7e49563062e931a6f6f5afb0874e864e76ac314724928803f73797ab4831ff36221223c1ca6bd905778194c125ad4bfa83bd1431815a2efce0b554c5ae1cc1

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\ASCPhishList.db
MD5
36852aac53bfd1e3246bcdd4939fa237

SHA1
0f5c03419517865dca1a38e4e8b74a862cc738c4

SHA256
d0659f308f39c8f9832087494f866ac673d636cba002f7bd38d86fed659704b8

SHA512
30eb0058d3f1e1976951d7153722c646de3fa95e72477dd7f55a750c4ab234493fb7657b6043e075eb12c37d6779f10af857feec0610161266368b9c1a7acf70

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\SPSpecialUrl.db
MD5
2224044bf8dd71e39c6ca9e4b4b988e7

SHA1
74c2079d4feb3a97a74bf4494dceefe9f2f98a78

SHA256
ea31fbbcfba4cb5bf2fe099392c1f136a80b435af2fc2817b4e9c83089f5fc5d

SHA512
df02150fad2aece782b75bc9951d7e85d8684583ef67bcde47dcafac7eb366601e64b8114d2ef836955cb8522f85d946c21308668a5b609d401fc14256b686cc

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\base_safe_browse_v4_0721
MD5
1bf6a85733868120b4497e3c8ce6b7a7

SHA1
55ed4c47aa74e916a97060e3a4f7632e21391c44

SHA256
94315722210601633edaf8fa081569ddfbcbc9508d011b47e2eced7dd6838776

SHA512
913358b8c72f8353f41b064af7b1dd9419d70f056715aca338f287bd76d1cfe3999f40dec7f734200cafb43ae2128b60f6d771bc3f2ebfebe37a36ab87558ad2

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\base_upt_add_v4
MD5
7abbc943f313ce74e50038af24f2be08

SHA1
d0ed0c26a4efe6e96e96dd48228b63b9d3fe884b

SHA256
17fef44b8e025a1a922f2ee0852cd7d8f7eab435549c785373eae0db33bc4439

SHA512
9683f3d22c529903fcad42340909f0bf329ffe0354b16511d05b79bd8cfe24555a81dc126c5b640ad31dddb25467c126fe73fcf24608af68419e2bf615761ea1

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\Database\spupdate_v4.utp
MD5
25c2c094f7083b622600ad2275764ddd

SHA1
b068d962f79f45d50ab928f27f8139b7bfdb86fa

SHA256
65d7fd479081c5df9d9a781a6539fa8859076f9757ad479b2f2391169b13f31b

SHA512
a272fd546fe06b38a58f9571a9ddaf30639c507ff912ac99bb9b07d8d2faabf353a7c4ced921950081d22ebf842894a79a9c334c557bfd5cc366d8705632e2c7

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe
MD5
a6b0b0e1eaa2d52a9cb32a4b3da743fe

SHA1
1005c4ef8afb39114f3aef4963a0b0a8a12eab7e

SHA256
7a6fa46244e259c5d4d8d829a4bf0300506dff174bb7384284e9bd2de43bf84b

SHA512
78b73e4381e811d4ba973f04c9faf0c475fe8a51d2f8976cf7a4b82acc64539bfe5d33870b17ade830df6b43eb14855f85020d806c9ff61947ebaefc1715fa2c

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\PluginInstall.exe
MD5
a6b0b0e1eaa2d52a9cb32a4b3da743fe

SHA1
1005c4ef8afb39114f3aef4963a0b0a8a12eab7e

SHA256
7a6fa46244e259c5d4d8d829a4bf0300506dff174bb7384284e9bd2de43bf84b

SHA512
78b73e4381e811d4ba973f04c9faf0c475fe8a51d2f8976cf7a4b82acc64539bfe5d33870b17ade830df6b43eb14855f85020d806c9ff61947ebaefc1715fa2c

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\language\English.lng
MD5
f2837842d7b70f82b3634c8e16162f2c

SHA1
9eb65bed6ed00e5dc6ead1d6bb64d17dbe923e1f

SHA256
482fb4f48bfa81ba9b5de73e043d1b0b6880cf548e41fb1271005ae6d2eacf91

SHA512
1d41c142305b3894a5d0cb39720cf679b35531d6c02c710483cf796ecfc40063d12fd4dd937bf14eeb129e2f57e1274da5ef7b7264aa664e0ecc24415d2dc87d

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\bdquar.dll
MD5
76df8b559f29839d455269b31d23fd73

SHA1
c719e66c7e18d8366005b4970d7af003a745394f

SHA256
17a74cbcd96e3b49374a7b513743600dff72e4e72c2aff4a40326b523bb67008

SHA512
5d36b66ba0d6150f523961e81868593ed58092ddc31a8ea993b56e72894e3aed8fe10e8b4b78e01837acff319325ef5976ce6c5a1bb4940295d9b7372d2ef76e

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\datastate.dll
MD5
7555301cba4259cbab3571714ad69993

SHA1
da4a4450be5e2f658e12e42f561d421554c09ccb

SHA256
9a1431e86eb187a1104ea1f2da44bfad4bad7daf1ea40a6843571a74e0ccf4ab

SHA512
141cb369ee7040fa4de0f749fd2a89b9933cfe164a40af395431ea72d9362bbb4900649b9ddd6c1899b33ec3bb1289d7f3d16f35d12efe59e365c5e2fa0e0ba3

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\rtl120.bpl
MD5
70bd0aa6735978e576c5ff68cf8644f9

SHA1
a9b9751e0cd3b2d1b32856fe96e51fd83d9a2414

SHA256
1ba0938282b250909ee57790f793ded4d7849bc110d9a3b32a1cba1a333664b1

SHA512
d371d675087e79095fa3303bec76488571309df23d22681326e43abc8a718b346c9b6aa2e8da2f0f0a382843698a1cc5710bbffdd6c4fce0fafc3b6ca474f32e

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\unins000.dat
MD5
c6fde2b62bd99b0fa703fc91272f3bb8

SHA1
c3d18010b9a09f767eb93f0298833a11eb95f055

SHA256
93c9a15aff5cbb4409dd7682e6cebd5103f8f66ce546ba0821c7aa90a87b55e0

SHA512
9a52ced14f1f7f33034c8d21960f80d63b35c6046403e30c715cf66bc063677364fb6b015705b938e549eed903ee3409a7ca32b0ddf5bcff31fe46e38efda423

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\unins000.msg
MD5
61fdcf61f3cb099cf6dda38102a3a959

SHA1
fdae6194ec41e92e4305e9d80c2f898b2b731edc

SHA256
81980fb1e23d9dbe06d0af991e9a443043e6d1f152585be71c97dc0b46666ccd

SHA512
90d7ce0a2f8f615d96cb9c2f63f7d9b5cc8cb3aad86a7dcfc3bb78c8a2a9c01e85cdee58238610723dad811cc1a6f571dccc34d0046c96a5fcea33fbdd375efd

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\vcl120.bpl
MD5
ae87f8ba2f5f2c2bd8b0a462520ecc27

SHA1
c21a290b490386d42a79082523b40e4e4ccc7ff2

SHA256
26972b3354c43cc84b9de68e7efaf6996d2a0c64f820cc3d43f3e3974c60c1b5

SHA512
31884902b6ce523a44101fe7360f59d4045a00aeea0197767693378a1f60207b34469bd539927eda59a674a186c451491d6490af91a27d89afec80688774f2c2

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\vclx120.bpl
MD5
392fd238a3dd633d6aa97afe2aa61cc7

SHA1
fbf3c1cae3abbeb07453bc6bfe3ec4dcf5127d79

SHA256
43c5c02d955af973da36762c903e2f82cd3f0ab887555c5f20905b2ae7a6c93f

SHA512
0c75ead22654be1e58a58ace057d71925fdf646614cb4b3c78ea3387eca04631bc834f818c5041f0fa129667341cc55a17daceb247bd53cfc8117c47559eb3e7

Download Submit
C:\Program Files (x86)\IObit\Malware Fighter\webres.dll
MD5
a96e63bf7e8f561513fe5d7098394d53

SHA1
bea8d765f7821731dae5913fb689e569a7345534

SHA256
98b181eeb8a8281ecbed02c0aca5954848df4960e288207f529f151ec203f681

SHA512
208019c26881737674f260562d7ddfd141bd5146e714d02519f57996ea103f36ac24da35b53683d69316eb33c5e91eb6729bc1dd3b108e00c4cc555ab9fe6837

Download Submit
C:\ProgramData\IObit\IObit Malware Fighter\config.ini
MD5
60a273d317a9834ccca594ac3804a3ff

SHA1
d1fc1a3571b39e99de115c3fe7ac3cfb7ec2c0bc

SHA256
37190809d1823d4ab18dac396c88975a0a703298c9226facda484cb1df8e8544

SHA512
9a1c344e0cdbd487d32f58ea939c2303991379c51879a6348c5357479d219a747c5380e05c96966c05ab8c67a6e2d8bddf52c1eb61bda514cc727a7928cd3e97

Download Submit
C:\ProgramData\IObit\IObit Malware Fighter\init.log
MD5
08fa115f393fa1588e2649ec7893b5b5

SHA1
1c0d65200ab5dd74ca3c277aaaf8bd95fe7a62e9

SHA256
d0ca1ea87357ef0268a112f835910630451235b8cf212a64cd998345a3ca4bd0

SHA512
03d52f1127dc09cc7b4763932983b8c1dd58975dad72e360ac69bb32a038e88494b5f4392e6e7f34ab72f24f80c2a075edd387ffbc0ac3bcbe91b4df191b9a0a

Download Submit
C:\ProgramData\IObit\IObit Malware Fighter\init.log
MD5
c510f8dad3b827b153adcc111969117d

SHA1
b2337fb29c31f253429081fe332ea62928ad31e4

SHA256
f9bbef078f2669e3a75d56385370fc048c41815c8ae37f5c8ad5498da5c74358

SHA512
e1f5ac160385c429cc8d07fefdce5060b8a312574247bcc3c4c3231b9eec01d59c153db38bc7c8273347c1905d478eadbbcbb4488d960034e6b5be7761108003

Download Submit
C:\Users\Admin\AppData\LocalLow\IObit\Advanced SystemCare\Main.ini
MD5
4c4fe13eb8b2c79cbe2e2edda7b60893

SHA1
405c27c4b0f5c0007f8ed4609017f4cc7559f6be

SHA256
ecbd5c2f4f25daf3de3a45cb8e6a93934dcf36d905003de68c8b8752c3ec8242

SHA512
1863935d9a4823d6bfc73aeac3066c5f5ee9175c18afd2ad5d1c8f6b1a8d58cc9fa04633feafdc54f78cfa60ccf470153f210eb96015d6da67262c1606958855

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP\packeg.exe
MD5
0ee4284cd9e607f4f4e26cc239dbcd7c

SHA1
299dd0278ff5a6420fec623a9468dcb416c3827e

SHA256
45eb109d238134272156d553fb754fb3dcf6195cfcee68e7313504502c91b224

SHA512
06ac86c865c4710d5ebfca2e9e1cc9c76be432f3be0313f43d1ab29e570846617defacd7500c90858578649d9f6145e7dce25dc536189e4dc17819d0521b8b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP\packeg.exe
MD5
0ee4284cd9e607f4f4e26cc239dbcd7c

SHA1
299dd0278ff5a6420fec623a9468dcb416c3827e

SHA256
45eb109d238134272156d553fb754fb3dcf6195cfcee68e7313504502c91b224

SHA512
06ac86c865c4710d5ebfca2e9e1cc9c76be432f3be0313f43d1ab29e570846617defacd7500c90858578649d9f6145e7dce25dc536189e4dc17819d0521b8b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q85TS.tmp\packeg.tmp
MD5
a5dac99a4c7bfa4797d0164eefd76777

SHA1
f24d337e1bc4e9b6f1bcd193459a453d37304a9e

SHA256
6a4865e03ef4dbaf996104b445749ae7216da59757a062838980e97937a6e0c1

SHA512
3f5b8e5ea7968d2fca85eb71403e300a174c3db6c11b9825f4bedd840fc6c400d479f72d38b0987f20a3c61877f3779ae6311a1db6784149ca668f48bb7e484f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q85TS.tmp\packeg.tmp
MD5
a5dac99a4c7bfa4797d0164eefd76777

SHA1
f24d337e1bc4e9b6f1bcd193459a453d37304a9e

SHA256
6a4865e03ef4dbaf996104b445749ae7216da59757a062838980e97937a6e0c1

SHA512
3f5b8e5ea7968d2fca85eb71403e300a174c3db6c11b9825f4bedd840fc6c400d479f72d38b0987f20a3c61877f3779ae6311a1db6784149ca668f48bb7e484f

Download Submit
\??\c:\program files (x86)\iobit\malware fighter\skin\classic.rcc
MD5
34c9ecd5f02326c073c0044d76fc50a3

SHA1
4adcd132c6b338a1033f101ce1bc86e3f4f7a7e6

SHA256
53e0c534c198182c9998c54a2d7390fd9c05e3034353ec6e9a9589a6ce920dcc

SHA512
162cc74c4c0978a242271be201cb459281bac08b1ec9da7bd5538564e9ce000e3d2fbb388e59bb32591b0458e9da9e7d07ed58adcbdb234945a11a9a12267840

Download Submit
\??\c:\program files (x86)\iobit\malware fighter\skin\public.rcc
MD5
887ab4cd0a35b08e638abf3180205bb1

SHA1
fef42df1af2273d4a7c6fafe967cff2244435c79

SHA256
240c6051783d4c70c0e7682871480094841089cfeeb616eaf3320d2f21068402

SHA512
26854d3640293f4207add181dcd91f684dbee7f573d1e179824cafd1b19a83c320902a4bc8d7633ee5233be043e8d9582052ae9c9f740c14d9a4b81a701fcd4c

Download Submit
\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
MD5
227c11cc424112e9f8de6c6d07e9df9a

SHA1
83d98dcaa2e934bddcf51af7e4ffa9a42ea5d598

SHA256
df5ff7bfd49eaa7c04f8de1c44c7191d45ad44124b17768f4ba6718754344d14

SHA512
16eec225a90893839a93eb08da9d768c81679a14410d44eaa8d2d16567da0e9deebe4185ddbd01f715e540a2d41e812e187691c50484dfe45d1f985b0fd6603a

Download Submit
\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
MD5
227c11cc424112e9f8de6c6d07e9df9a

SHA1
83d98dcaa2e934bddcf51af7e4ffa9a42ea5d598

SHA256
df5ff7bfd49eaa7c04f8de1c44c7191d45ad44124b17768f4ba6718754344d14

SHA512
16eec225a90893839a93eb08da9d768c81679a14410d44eaa8d2d16567da0e9deebe4185ddbd01f715e540a2d41e812e187691c50484dfe45d1f985b0fd6603a

Download Submit
\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCUrlScanner.dll
MD5
0ea040ebeb8bf91166963be085921923

SHA1
933462e1cc1f957e61cc3603bb2225016c564023

SHA256
8837f05989ab0fde46f78fb8e07b3fe64c75a8638a70c616442df059a3f2f391

SHA512
9d7e49563062e931a6f6f5afb0874e864e76ac314724928803f73797ab4831ff36221223c1ca6bd905778194c125ad4bfa83bd1431815a2efce0b554c5ae1cc1

Download Submit
\Program Files (x86)\IObit\Malware Fighter\Surfing Protection\BrowerProtect\ASCUrlScanner.dll
MD5
0ea040ebeb8bf91166963be085921923

SHA1
933462e1cc1f957e61cc3603bb2225016c564023

SHA256
8837f05989ab0fde46f78fb8e07b3fe64c75a8638a70c616442df059a3f2f391

SHA512
9d7e49563062e931a6f6f5afb0874e864e76ac314724928803f73797ab4831ff36221223c1ca6bd905778194c125ad4bfa83bd1431815a2efce0b554c5ae1cc1

Download Submit
\Program Files (x86)\IObit\Malware Fighter\datastate.dll
MD5
7555301cba4259cbab3571714ad69993

SHA1
da4a4450be5e2f658e12e42f561d421554c09ccb

SHA256
9a1431e86eb187a1104ea1f2da44bfad4bad7daf1ea40a6843571a74e0ccf4ab

SHA512
141cb369ee7040fa4de0f749fd2a89b9933cfe164a40af395431ea72d9362bbb4900649b9ddd6c1899b33ec3bb1289d7f3d16f35d12efe59e365c5e2fa0e0ba3

Download Submit
\Program Files (x86)\IObit\Malware Fighter\rtl120.bpl
MD5
70bd0aa6735978e576c5ff68cf8644f9

SHA1
a9b9751e0cd3b2d1b32856fe96e51fd83d9a2414

SHA256
1ba0938282b250909ee57790f793ded4d7849bc110d9a3b32a1cba1a333664b1

SHA512
d371d675087e79095fa3303bec76488571309df23d22681326e43abc8a718b346c9b6aa2e8da2f0f0a382843698a1cc5710bbffdd6c4fce0fafc3b6ca474f32e

Download Submit
\Program Files (x86)\IObit\Malware Fighter\rtl120.bpl
MD5
70bd0aa6735978e576c5ff68cf8644f9

SHA1
a9b9751e0cd3b2d1b32856fe96e51fd83d9a2414

SHA256
1ba0938282b250909ee57790f793ded4d7849bc110d9a3b32a1cba1a333664b1

SHA512
d371d675087e79095fa3303bec76488571309df23d22681326e43abc8a718b346c9b6aa2e8da2f0f0a382843698a1cc5710bbffdd6c4fce0fafc3b6ca474f32e

Download Submit
\Program Files (x86)\IObit\Malware Fighter\vcl120.bpl
MD5
ae87f8ba2f5f2c2bd8b0a462520ecc27

SHA1
c21a290b490386d42a79082523b40e4e4ccc7ff2

SHA256
26972b3354c43cc84b9de68e7efaf6996d2a0c64f820cc3d43f3e3974c60c1b5

SHA512
31884902b6ce523a44101fe7360f59d4045a00aeea0197767693378a1f60207b34469bd539927eda59a674a186c451491d6490af91a27d89afec80688774f2c2

Download Submit
\Program Files (x86)\IObit\Malware Fighter\vcl120.bpl
MD5
ae87f8ba2f5f2c2bd8b0a462520ecc27

SHA1
c21a290b490386d42a79082523b40e4e4ccc7ff2

SHA256
26972b3354c43cc84b9de68e7efaf6996d2a0c64f820cc3d43f3e3974c60c1b5

SHA512
31884902b6ce523a44101fe7360f59d4045a00aeea0197767693378a1f60207b34469bd539927eda59a674a186c451491d6490af91a27d89afec80688774f2c2

Download Submit
\Program Files (x86)\IObit\Malware Fighter\vclx120.bpl
MD5
392fd238a3dd633d6aa97afe2aa61cc7

SHA1
fbf3c1cae3abbeb07453bc6bfe3ec4dcf5127d79

SHA256
43c5c02d955af973da36762c903e2f82cd3f0ab887555c5f20905b2ae7a6c93f

SHA512
0c75ead22654be1e58a58ace057d71925fdf646614cb4b3c78ea3387eca04631bc834f818c5041f0fa129667341cc55a17daceb247bd53cfc8117c47559eb3e7

Download Submit
\Program Files (x86)\IObit\Malware Fighter\webres.dll
MD5
a96e63bf7e8f561513fe5d7098394d53

SHA1
bea8d765f7821731dae5913fb689e569a7345534

SHA256
98b181eeb8a8281ecbed02c0aca5954848df4960e288207f529f151ec203f681

SHA512
208019c26881737674f260562d7ddfd141bd5146e714d02519f57996ea103f36ac24da35b53683d69316eb33c5e91eb6729bc1dd3b108e00c4cc555ab9fe6837

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\Aero.dll
MD5
5155e506b908b41e113bbd7c10d4082f

SHA1
0e0d2d3a6c76c08d434ac7359eb9927f82ac6065

SHA256
9bbbdd180dac3cf4ce36cbc12bd862cdd00880d87027395f92ede5476d1f0dd0

SHA512
a43f04fffb05458a307054caaa45ba81c383b0265d7af798996806ecb07b72bb5350df7bf4d6d7b21a30c82f4308343845bb32cc8e0ad0cd36e352499ca7ccb1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\BrandingURL.dll
MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\LangDLL.dll
MD5
d6d8addfea0ee1bba9b841e3bec0b5cd

SHA1
a36ba78140600a7b1a502bea25c50c76666f5d3f

SHA256
ccb76172c2565356a838d7867a51e021478fed4d83eb41fe1dbb703f8efa28f9

SHA512
3f85eb0baca0794adbc7460af8b3b21d5b0b9d250eeba842f8524ea9736877aaabd5f51035bee8836ad46bf1d01e416119ca7f296bae32bacdad44622c1715ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\System.dll
MD5
f4e3fa5c852d2bdc41756e58124b21d3

SHA1
a49ec55e50d25efa45ce93366fb64c4fbb1d8261

SHA256
e457505b7648838185fd971e19daf6fd626824d7935a2701342df7099315e62c

SHA512
3ccbd9bf27d7927fdf34aecf672d78cb85d00b2b53da631f60683e46d85eda73021d2ae2c7c3d533424b1f8d174093d2186e1bd821fe02312fc142048b75d243

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\System.dll
MD5
f4e3fa5c852d2bdc41756e58124b21d3

SHA1
a49ec55e50d25efa45ce93366fb64c4fbb1d8261

SHA256
e457505b7648838185fd971e19daf6fd626824d7935a2701342df7099315e62c

SHA512
3ccbd9bf27d7927fdf34aecf672d78cb85d00b2b53da631f60683e46d85eda73021d2ae2c7c3d533424b1f8d174093d2186e1bd821fe02312fc142048b75d243

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\nsDialogs.dll
MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3521.tmp\nsDialogs.dll
MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
memory/216-341-0x0000000000000000-mapping.dmp

Download
memory/216-340-0x0000000000000000-mapping.dmp

Download
memory/428-307-0x0000000000000000-mapping.dmp

Download
memory/1004-339-0x0000000000000000-mapping.dmp

Download
memory/1084-139-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1084-137-0x0000000000000000-mapping.dmp

Download
memory/1116-289-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1116-278-0x0000000000000000-mapping.dmp

Download
memory/1676-296-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1676-293-0x0000000000000000-mapping.dmp

Download
memory/1764-240-0x0000000000000000-mapping.dmp

Download
memory/1872-343-0x0000000000000000-mapping.dmp

Download
memory/2156-305-0x0000000000000000-mapping.dmp

Download
memory/2156-308-0x0000000000780000-0x000000000082E000-memory.dmp

Filesize
696KB

Download
memory/2176-248-0x0000000000000000-mapping.dmp

Download
memory/2196-175-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2196-169-0x0000000000000000-mapping.dmp

Download
memory/2232-348-0x0000000000000000-mapping.dmp

Download
memory/2256-279-0x0000000000000000-mapping.dmp

Download
memory/2256-290-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2268-281-0x0000000000000000-mapping.dmp

Download
memory/2268-178-0x0000000000000000-mapping.dmp

Download
memory/2268-186-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2312-244-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2312-241-0x0000000000000000-mapping.dmp

Download
memory/2328-247-0x0000000000000000-mapping.dmp

Download
memory/2404-326-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2404-323-0x0000000000000000-mapping.dmp

Download
memory/2404-330-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2404-328-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/2404-327-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2420-277-0x00000000007C0000-0x000000000086E000-memory.dmp

Filesize
696KB

Download
memory/2420-275-0x0000000000000000-mapping.dmp

Download
memory/2492-142-0x0000000000000000-mapping.dmp

Download
memory/2492-168-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2584-144-0x0000000000000000-mapping.dmp

Download
memory/2584-161-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2596-303-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/2596-294-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2596-298-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/2596-299-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/2596-304-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/2596-301-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2596-300-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/2596-297-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/2596-285-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2596-287-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2596-284-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2596-286-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2596-288-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/2600-261-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/2600-243-0x0000000004BF0000-0x0000000004C6F000-memory.dmp

Filesize
508KB

Download
memory/2600-242-0x0000000000000000-mapping.dmp

Download
memory/2752-280-0x0000000000000000-mapping.dmp

Download
memory/2780-338-0x0000000000000000-mapping.dmp

Download
memory/2780-347-0x0000000000000000-mapping.dmp

Download
memory/2784-282-0x0000000000000000-mapping.dmp

Download
memory/2784-245-0x0000000000000000-mapping.dmp

Download
memory/2784-291-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2948-351-0x0000000000000000-mapping.dmp

Download
memory/3044-350-0x0000000000000000-mapping.dmp

Download
memory/3044-342-0x0000000000000000-mapping.dmp

Download
memory/3092-344-0x0000000000000000-mapping.dmp

Download
memory/3112-321-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/3112-324-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/3112-329-0x000000000C950000-0x000000000C951000-memory.dmp

Filesize
4KB

Download
memory/3112-325-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/3112-322-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3112-306-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3112-318-0x000000000A7E0000-0x000000000A7E1000-memory.dmp

Filesize
4KB

Download
memory/3112-315-0x000000000A520000-0x000000000A521000-memory.dmp

Filesize
4KB

Download
memory/3112-316-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/3156-309-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3156-131-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/3156-331-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/3156-332-0x0000000007B10000-0x0000000007B11000-memory.dmp

Filesize
4KB

Download
memory/3156-333-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/3156-334-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/3156-335-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/3156-127-0x0000000000000000-mapping.dmp

Download
memory/3296-292-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3296-295-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3296-283-0x0000000000000000-mapping.dmp

Download
memory/3392-253-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-252-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-266-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-267-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-268-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-263-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-269-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-271-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-270-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-272-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-264-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3392-274-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-273-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-265-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-276-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/3392-173-0x0000000000000000-mapping.dmp

Download
memory/3392-176-0x00000000007C0000-0x000000000086E000-memory.dmp

Filesize
696KB

Download
memory/3392-262-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-246-0x0000000000000000-mapping.dmp

Download
memory/3392-249-0x0000000003ED0000-0x0000000003FD6000-memory.dmp

Filesize
1.0MB

Download
memory/3392-260-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-259-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-258-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-257-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-256-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-255-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-254-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-250-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3392-251-0x0000000003ED1000-0x0000000003F97000-memory.dmp

Filesize
792KB

Download
memory/3408-320-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/3408-228-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-196-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-197-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-198-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-195-0x0000000002E00000-0x0000000002E7F000-memory.dmp

Filesize
508KB

Download
memory/3408-200-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-205-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-206-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-201-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-185-0x0000000000000000-mapping.dmp

Download
memory/3408-207-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-208-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-202-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-203-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-212-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-209-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-239-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/3408-238-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-236-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-317-0x0000000000000000-mapping.dmp

Download
memory/3408-237-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-204-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-319-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3408-235-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-234-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-222-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-233-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-232-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-223-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-224-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-213-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-231-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-229-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-230-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-191-0x00000000042A0000-0x0000000004404000-memory.dmp

Filesize
1.4MB

Download
memory/3408-227-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-226-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-225-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-210-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3408-211-0x00000000042A1000-0x00000000043AF000-memory.dmp

Filesize
1.1MB

Download
memory/3464-349-0x0000000000000000-mapping.dmp

Download
memory/3464-132-0x0000000000000000-mapping.dmp

Download
memory/3464-346-0x0000000000000000-mapping.dmp

Download
memory/3920-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3920-123-0x0000000000000000-mapping.dmp

Download
memory/3928-133-0x0000000000000000-mapping.dmp

Download
memory/3928-136-0x00000000007C0000-0x000000000086E000-memory.dmp

Filesize
696KB

Download
memory/3980-158-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3980-140-0x0000000000000000-mapping.dmp

Download
memory/4044-345-0x0000000000000000-mapping.dmp

Download
memory/4044-119-0x0000000002331000-0x0000000002333000-memory.dmp

Filesize
8KB

Download
memory/4044-337-0x0000000000000000-mapping.dmp

Download
memory/4044-122-0x0000000002341000-0x0000000002343000-memory.dmp

Filesize
8KB

Download
memory/4112-352-0x0000000000000000-mapping.dmp

Download
memory/4144-353-0x0000000000000000-mapping.dmp

Download
memory/4168-354-0x0000000000000000-mapping.dmp

Download
memory/4192-355-0x0000000000000000-mapping.dmp

Download
memory/4216-356-0x0000000000000000-mapping.dmp

Download
memory/4252-357-0x0000000000000000-mapping.dmp

Download
memory/4276-358-0x0000000000000000-mapping.dmp

Download
memory/4300-359-0x0000000000000000-mapping.dmp

Download
memory/4328-360-0x0000000000000000-mapping.dmp

Download
memory/4352-361-0x0000000000000000-mapping.dmp

Download
memory/4376-362-0x0000000000000000-mapping.dmp

Download
memory/4400-363-0x0000000000000000-mapping.dmp

Download
memory/4424-364-0x0000000000000000-mapping.dmp

Download
memory/4456-365-0x0000000000000000-mapping.dmp

Download
memory/4464-366-0x0000000000000000-mapping.dmp

Download
memory/4512-367-0x0000000000000000-mapping.dmp

Download
memory/4540-368-0x0000000000000000-mapping.dmp

Download
memory/4564-369-0x0000000000000000-mapping.dmp

Download