8050946d45275d1d9a207b61e1e7c69f906193fe120b111497bb15960f9ca379

Analysis

max time kernel
153s
max time network
145s
platform
windows7_x64
resource
win7-en
submitted
10-09-2021 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fri192b9eeaa03b.exe
Size

739KB
MD5

b160ce13f27f1e016b7bfc7a015f686b
SHA1

bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256

fac205247d3b19b5f82f5f4d1269a5c047b6c9ad9f21cc51b4b782c2b08a3b87
SHA512

9578fc34807be2541aa7dc26acbe27211e96b42c6c4208afe195b19b08264dfeb3ea7fec637c759f062cbd5561c5140ecd68cd5c79efbb844d3b2639e336ca0c

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2416 2172 rundll32.exe
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2172	rundll32.exe

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
80	1976	MsiExec.exe
82	1976	MsiExec.exe
83	1976	MsiExec.exe
85	1976	MsiExec.exe
87	1976	MsiExec.exe
89	1976	MsiExec.exe
91	1976	MsiExec.exe
92	1976	MsiExec.exe
93	1976	MsiExec.exe
94	1976	MsiExec.exe
95	1976	MsiExec.exe
96	1976	MsiExec.exe
97	1976	MsiExec.exe
98	1976	MsiExec.exe
99	1976	MsiExec.exe
100	1976	MsiExec.exe
101	1976	MsiExec.exe
102	1976	MsiExec.exe
103	1976	MsiExec.exe
104	1976	MsiExec.exe
105	1976	MsiExec.exe
106	1976	MsiExec.exe
107	1976	MsiExec.exe
108	1976	MsiExec.exe
109	1976	MsiExec.exe
110	1976	MsiExec.exe
111	1976	MsiExec.exe
112	1976	MsiExec.exe
113	1976	MsiExec.exe
114	1976	MsiExec.exe
115	1976	MsiExec.exe
116	1976	MsiExec.exe
117	1976	MsiExec.exe
118	1976	MsiExec.exe
119	1976	MsiExec.exe
120	1976	MsiExec.exe
121	1976	MsiExec.exe
122	1976	MsiExec.exe
123	1976	MsiExec.exe
124	1976	MsiExec.exe
125	1976	MsiExec.exe
126	1976	MsiExec.exe
127	1976	MsiExec.exe
128	1976	MsiExec.exe
129	1976	MsiExec.exe
130	1976	MsiExec.exe
131	1976	MsiExec.exe
132	1976	MsiExec.exe
133	1976	MsiExec.exe
134	1976	MsiExec.exe
135	1976	MsiExec.exe
136	1976	MsiExec.exe
137	1976	MsiExec.exe
138	1976	MsiExec.exe
140	1976	MsiExec.exe
143	1976	MsiExec.exe
144	1976	MsiExec.exe
145	1976	MsiExec.exe
146	1976	MsiExec.exe
147	1976	MsiExec.exe
148	1976	MsiExec.exe
149	1976	MsiExec.exe
150	1976	MsiExec.exe
151	1976	MsiExec.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

46807GHF____.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	46807GHF____.exe

Executes dropped EXE 11 IoCs

Processes:

Fri192b9eeaa03b.tmp46807GHF____.exeultramediaburner.exeultramediaburner.tmpDaefomagaehy.exeKyzhawituzhe.exeUltraMediaBurner.exeGcleanerEU.exeinstaller.exeanyname.exegcleaner.exe

pid	process
1504	Fri192b9eeaa03b.tmp
472	46807GHF____.exe
2044	ultramediaburner.exe
1564	ultramediaburner.tmp
1440	Daefomagaehy.exe
1808	Kyzhawituzhe.exe
1972	UltraMediaBurner.exe
2604	GcleanerEU.exe
2708	installer.exe
2840	anyname.exe
2248	gcleaner.exe

Loads dropped DLL 41 IoCs

Processes:

Fri192b9eeaa03b.exeFri192b9eeaa03b.tmpultramediaburner.exeultramediaburner.tmpinstaller.exeMsiExec.exerundll32.exeMsiExec.exeMsiExec.exe

pid	process
1136	Fri192b9eeaa03b.exe
1504	Fri192b9eeaa03b.tmp
1504	Fri192b9eeaa03b.tmp
1504	Fri192b9eeaa03b.tmp
1504	Fri192b9eeaa03b.tmp
2044	ultramediaburner.exe
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
2708	installer.exe
2708	installer.exe
2708	installer.exe
2264	MsiExec.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2264	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
2708	installer.exe
1976	MsiExec.exe
1976	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
1976	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

46807GHF____.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Mucywyzhele.exe\""	46807GHF____.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\K:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

Processes:

ultramediaburner.tmpmsiexec.exe46807GHF____.exe

description	ioc	process
File created	C:\Program Files (x86)\UltraMediaBurner\is-MKHKH.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe	46807GHF____.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Mucywyzhele.exe	46807GHF____.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Mucywyzhele.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-UNMPA.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f751861.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1ECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI242A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A16.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI389D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3ACF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CD4.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f751861.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f751863.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2572.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI332D.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f751865.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI216A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BEC.tmp	msiexec.exe
File created	C:\Windows\Installer\f751863.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI336D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D42.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3056 taskkill.exe
2344 taskkill.exe
1944 taskkill.exe

pid	process
3056	taskkill.exe
2344	taskkill.exe
1944	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2F1D271-127D-11EC-A6DF-6E1358798E24} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca0000000002000000000010660000000100002000000080168d5611c0c16cc23b5cfd8106c2c6c1aaa11b0f7c7b66784544a2e62c756d000000000e800000000200002000000051f49e028647b24ae37d78f33bd13f0d3069bdca9426879fdb6a6118c668c6e690000000f0302013a666bdff090cf0aad4fdb77400cc0f50ac43c35f68dcc4564619b3598365652a91046ec725cf4d250fddd28527a2fcf6e542ede209bdb37bc65fecb202a0a7577d2cc6eb864642a94f59cf37a4acac8a657a1681dabef318ac0f99a9e1d92bf74670d465a5f55e2d19c5d0c41180b57507d96a991ea426f711eb42b1a7cc2e027d46c9d71c6ee85dfdb669ab4000000003ba25e245ccaa8b0e12c7a3a9375a9b430ab24c49d30f7b3ea77c234081a344ce2690cb6f19238ee6c3e3d45e60c0b19a2bd85156f0952ab546a13ec05ba375	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338074142"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902c33978aa6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000005280f5409f5ff7f3c8ebf2fa399859aabe80cfa152f1aae102d8ac8801f77ec4000000000e8000000002000020000000161c352c999cbbb77e16ac208de8d5d3f2b7191d0f1a9e6ee6a58e0fe1ded58320000000a4b5b39ff0497a3f0f6134c8fe265cbc8935920425a2af15943f9ab64b909e144000000050c8d77ec5270d1a42f49fd3658a9629d53225c04d406d447cb3402f8675b439c85e6e2076179a0768a75259b8cbb7defdfdca950513b96cb725445d712240fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	installer.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 64 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

Processes:

GcleanerEU.exeinstaller.exeanyname.exegcleaner.exe

pid process

2604 GcleanerEU.exe
2708 installer.exe
2840 anyname.exe
2248 gcleaner.exe

description	flow	ioc
HTTP User-Agent header	64	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2604	GcleanerEU.exe
2708	installer.exe
2840	anyname.exe
2248	gcleaner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpKyzhawituzhe.exe

pid	process
1564	ultramediaburner.tmp
1564	ultramediaburner.tmp
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe
1808	Kyzhawituzhe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Kyzhawituzhe.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	1808	Kyzhawituzhe.exe
Token: SeRestorePrivilege	3064	msiexec.exe
Token: SeTakeOwnershipPrivilege	3064	msiexec.exe
Token: SeSecurityPrivilege	3064	msiexec.exe
Token: SeCreateTokenPrivilege	2708	installer.exe
Token: SeAssignPrimaryTokenPrivilege	2708	installer.exe
Token: SeLockMemoryPrivilege	2708	installer.exe
Token: SeIncreaseQuotaPrivilege	2708	installer.exe
Token: SeMachineAccountPrivilege	2708	installer.exe
Token: SeTcbPrivilege	2708	installer.exe
Token: SeSecurityPrivilege	2708	installer.exe
Token: SeTakeOwnershipPrivilege	2708	installer.exe
Token: SeLoadDriverPrivilege	2708	installer.exe
Token: SeSystemProfilePrivilege	2708	installer.exe
Token: SeSystemtimePrivilege	2708	installer.exe
Token: SeProfSingleProcessPrivilege	2708	installer.exe
Token: SeIncBasePriorityPrivilege	2708	installer.exe
Token: SeCreatePagefilePrivilege	2708	installer.exe
Token: SeCreatePermanentPrivilege	2708	installer.exe
Token: SeBackupPrivilege	2708	installer.exe
Token: SeRestorePrivilege	2708	installer.exe
Token: SeShutdownPrivilege	2708	installer.exe
Token: SeDebugPrivilege	2708	installer.exe
Token: SeAuditPrivilege	2708	installer.exe
Token: SeSystemEnvironmentPrivilege	2708	installer.exe
Token: SeChangeNotifyPrivilege	2708	installer.exe
Token: SeRemoteShutdownPrivilege	2708	installer.exe
Token: SeUndockPrivilege	2708	installer.exe
Token: SeSyncAgentPrivilege	2708	installer.exe
Token: SeEnableDelegationPrivilege	2708	installer.exe
Token: SeManageVolumePrivilege	2708	installer.exe
Token: SeImpersonatePrivilege	2708	installer.exe
Token: SeCreateGlobalPrivilege	2708	installer.exe
Token: SeCreateTokenPrivilege	2708	installer.exe
Token: SeAssignPrimaryTokenPrivilege	2708	installer.exe
Token: SeLockMemoryPrivilege	2708	installer.exe
Token: SeIncreaseQuotaPrivilege	2708	installer.exe
Token: SeMachineAccountPrivilege	2708	installer.exe
Token: SeTcbPrivilege	2708	installer.exe
Token: SeSecurityPrivilege	2708	installer.exe
Token: SeTakeOwnershipPrivilege	2708	installer.exe
Token: SeLoadDriverPrivilege	2708	installer.exe
Token: SeSystemProfilePrivilege	2708	installer.exe
Token: SeSystemtimePrivilege	2708	installer.exe
Token: SeProfSingleProcessPrivilege	2708	installer.exe
Token: SeIncBasePriorityPrivilege	2708	installer.exe
Token: SeCreatePagefilePrivilege	2708	installer.exe
Token: SeCreatePermanentPrivilege	2708	installer.exe
Token: SeBackupPrivilege	2708	installer.exe
Token: SeRestorePrivilege	2708	installer.exe
Token: SeShutdownPrivilege	2708	installer.exe
Token: SeDebugPrivilege	2708	installer.exe
Token: SeAuditPrivilege	2708	installer.exe
Token: SeSystemEnvironmentPrivilege	2708	installer.exe
Token: SeChangeNotifyPrivilege	2708	installer.exe
Token: SeRemoteShutdownPrivilege	2708	installer.exe
Token: SeUndockPrivilege	2708	installer.exe
Token: SeSyncAgentPrivilege	2708	installer.exe
Token: SeEnableDelegationPrivilege	2708	installer.exe
Token: SeManageVolumePrivilege	2708	installer.exe
Token: SeImpersonatePrivilege	2708	installer.exe
Token: SeCreateGlobalPrivilege	2708	installer.exe
Token: SeCreateTokenPrivilege	2708	installer.exe
Token: SeAssignPrimaryTokenPrivilege	2708	installer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

ultramediaburner.tmpiexplore.exeinstaller.exe

pid process

1564 ultramediaburner.tmp
1696 iexplore.exe
2708 installer.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1696 iexplore.exe
1696 iexplore.exe
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE
1084 IEXPLORE.EXE

pid	process
1696	iexplore.exe
1696	iexplore.exe
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE
1084	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fri192b9eeaa03b.exeFri192b9eeaa03b.tmp46807GHF____.exeultramediaburner.exeultramediaburner.tmpDaefomagaehy.exeiexplore.exeKyzhawituzhe.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1136 wrote to memory of 1504	1136	Fri192b9eeaa03b.exe	Fri192b9eeaa03b.tmp
PID 1504 wrote to memory of 472	1504	Fri192b9eeaa03b.tmp	46807GHF____.exe
PID 1504 wrote to memory of 472	1504	Fri192b9eeaa03b.tmp	46807GHF____.exe
PID 1504 wrote to memory of 472	1504	Fri192b9eeaa03b.tmp	46807GHF____.exe
PID 1504 wrote to memory of 472	1504	Fri192b9eeaa03b.tmp	46807GHF____.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 472 wrote to memory of 2044	472	46807GHF____.exe	ultramediaburner.exe
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 2044 wrote to memory of 1564	2044	ultramediaburner.exe	ultramediaburner.tmp
PID 472 wrote to memory of 1440	472	46807GHF____.exe	Daefomagaehy.exe
PID 472 wrote to memory of 1440	472	46807GHF____.exe	Daefomagaehy.exe
PID 472 wrote to memory of 1440	472	46807GHF____.exe	Daefomagaehy.exe
PID 472 wrote to memory of 1808	472	46807GHF____.exe	Kyzhawituzhe.exe
PID 472 wrote to memory of 1808	472	46807GHF____.exe	Kyzhawituzhe.exe
PID 472 wrote to memory of 1808	472	46807GHF____.exe	Kyzhawituzhe.exe
PID 1564 wrote to memory of 1972	1564	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1564 wrote to memory of 1972	1564	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1564 wrote to memory of 1972	1564	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1564 wrote to memory of 1972	1564	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1440 wrote to memory of 1696	1440	Daefomagaehy.exe	iexplore.exe
PID 1440 wrote to memory of 1696	1440	Daefomagaehy.exe	iexplore.exe
PID 1440 wrote to memory of 1696	1440	Daefomagaehy.exe	iexplore.exe
PID 1696 wrote to memory of 1084	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 1084	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 1084	1696	iexplore.exe	IEXPLORE.EXE
PID 1696 wrote to memory of 1084	1696	iexplore.exe	IEXPLORE.EXE
PID 1808 wrote to memory of 2536	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2536	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2536	1808	Kyzhawituzhe.exe	cmd.exe
PID 2536 wrote to memory of 2604	2536	cmd.exe	GcleanerEU.exe
PID 2536 wrote to memory of 2604	2536	cmd.exe	GcleanerEU.exe
PID 2536 wrote to memory of 2604	2536	cmd.exe	GcleanerEU.exe
PID 2536 wrote to memory of 2604	2536	cmd.exe	GcleanerEU.exe
PID 1808 wrote to memory of 2652	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2652	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2652	1808	Kyzhawituzhe.exe	cmd.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 2652 wrote to memory of 2708	2652	cmd.exe	installer.exe
PID 1808 wrote to memory of 2788	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2788	1808	Kyzhawituzhe.exe	cmd.exe
PID 1808 wrote to memory of 2788	1808	Kyzhawituzhe.exe	cmd.exe
PID 2788 wrote to memory of 2840	2788	cmd.exe	anyname.exe
PID 2788 wrote to memory of 2840	2788	cmd.exe	anyname.exe

C:\Users\Admin\AppData\Local\Temp\Fri192b9eeaa03b.exe
"C:\Users\Admin\AppData\Local\Temp\Fri192b9eeaa03b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\is-57T30.tmp\Fri192b9eeaa03b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-57T30.tmp\Fri192b9eeaa03b.tmp" /SL5="$30104,506086,422400,C:\Users\Admin\AppData\Local\Temp\Fri192b9eeaa03b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\46807GHF____.exe
"C:\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\46807GHF____.exe" /S /UID=burnerch2
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:472

C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe
"C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\is-NDEI4.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NDEI4.tmp\ultramediaburner.tmp" /SL5="$50130,281924,62464,C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:1972

C:\Users\Admin\AppData\Local\Temp\d8-61773-09d-4c998-6c828c38ccea4\Daefomagaehy.exe
"C:\Users\Admin\AppData\Local\Temp\d8-61773-09d-4c998-6c828c38ccea4\Daefomagaehy.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kyzhawituzhe.exe
"C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kyzhawituzhe.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe /eufive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe /eufive
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe" & exit
7⤵
PID:2056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
8⤵
- Kills process with taskkill
PID:2344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe /qn CAMPAIGN="654" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe
C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe /qn CAMPAIGN="654"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2708

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631049875 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
7⤵
PID:2772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xg3t5skf.zn3\anyname.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\Temp\xg3t5skf.zn3\anyname.exe
C:\Users\Admin\AppData\Local\Temp\xg3t5skf.zn3\anyname.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe /mixfive & exit
5⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe" & exit
7⤵
PID:2272

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdvd5egp.vuh\autosubplayer.exe /S & exit
5⤵
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0C15FD924FCF34327031BDFA73847B2 C
2⤵
- Loads dropped DLL
PID:2264

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ADCE7DC7A37632716E8152A491334D8E
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1976

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:3056

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D136E95749A7F83C8527C0BA41C88C87 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2460

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\Common Files\QOYJTHICXJ\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
b5fc25ed1239dbca9bfe1413c82b377d

SHA1
fa361caabdc4ce688d0f4d6a299e17fca0f2060f

SHA256
bea5e4aa4012586a23a7d0799bbfaa31a62eb4d4b10b2e54a63e7eea9abcdb2b

SHA512
4a3d9c667d8b124e795f800b2bdf0df225a2d2fa8a26ed1e4732ab138a5b10d53394dc8f5820ab24cd53934f38a1f5a19fe17d2ee545c064dccac8aa25fc740c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
1fd54d652657449d6b99abf10ee7122a

SHA1
d956dcb76b99998a2eac61088776af637529f288

SHA256
5dc1cd901a3064ad7935c5439125b7a150eff655bc403bbc0782e672a4e4f58f

SHA512
20102414abcc9f731878f4f5d0be6a3b241cbb52e6a3b6a3c9ee6dfae8aba317310337c224edce36a3a010e6c0e684597f8f110ebf8f93a1919fb4d11729137e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
893ca85bebab85bfe854afba48f0342d

SHA1
c3b35f09ea5a7346dffd4d99bab613fe50e18d29

SHA256
90d1bbcbf2d0fe28b741a29f5a7c518dd6dbd2919fbb83dce4a3ba617b3f8bcd

SHA512
88f186557aa213f49506d16e5381365dabdfce6fbf8265dbd0e1cd15ae68a75375334c4d648cbec011533d0960704daca8e8a236fb12e87c9c2a68785eff0601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b27f388f0d9cf214b031951b974cf082

SHA1
2556c63a1c72ebbff35710cab4285856528ea9b1

SHA256
a4dbc06b2f4f504a4595a333fcf798fc851bb33595d05a125ef12b5cb9fb97d0

SHA512
5cfdc59bcda2343c638f08d284735304cdd1df7ea8f5cc08b652f9ce3386bf62b874686a356e82ae29e8c52355147c57f09853b548b39e04c6d68f38ac4e26c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b27f388f0d9cf214b031951b974cf082

SHA1
2556c63a1c72ebbff35710cab4285856528ea9b1

SHA256
a4dbc06b2f4f504a4595a333fcf798fc851bb33595d05a125ef12b5cb9fb97d0

SHA512
5cfdc59bcda2343c638f08d284735304cdd1df7ea8f5cc08b652f9ce3386bf62b874686a356e82ae29e8c52355147c57f09853b548b39e04c6d68f38ac4e26c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5417e7f1f4f6e144396b8c65992f02cf

SHA1
442b34c9690704ba4c8d2764847bd43cd406555c

SHA256
5b364176a41b7d3ef58f92a14399a7aa97dec1a15c52392b0b5fd97d1d542d3b

SHA512
a479840823f97839ce3aef303735dafdb46b0cec46951823a94226473c8d4de0a398a0d0f443455027610dbf9219abde0be161c2475bfc33fc7de355084661eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
f5dd10e1b22d88799e1a803a569607a5

SHA1
e8977083e6a3f06caded9ab458f61db08edadb14

SHA256
25b031c3212450b560604e00e49f9ef304e6c6177d7cfc779d7b0acc73f662a0

SHA512
b90b93e960e7ad617bbeebb35fc6df1e7a28270815a49f174e1e9a7637817df992395b4e5c6641a3681c53338aafa27a80126ba1c68c5e43bd555e09f1e76ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bb1d8701d69cca4889a5e5eab44524b9

SHA1
7dc5a1f55cb8b73caa159773a76c7912ea7af219

SHA256
a892d8a92424a6e8ac6f69f0a3f2eb5df6afd06aae5a1bced274985bba8998db

SHA512
081c2c1661bcb593f36837888394f7b07867ab17754a9caf3e0ab70a6a6d01b61222a430287aeeec71767f5ec249c6e1b0cf4221689e0a30632c2eafede450e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
e712c6f9df7883a6b5286b9461728afb

SHA1
3e233da0eb00b8e4301efb2d78740378a259f59a

SHA256
3341c3df014b1e1c475630579ef9dcea68cfff21157fb21c9389aad00a81af8b

SHA512
2e8d590a6a5f034c611e14f91674795cf396976dc2feec05cb55fa45ae49c9dafe5c547e6a6f195a7b6d65adea64d13da6515b8a2a4ce4daf63364d4124d6e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5ym4qqk\imagestore.dat
MD5
7578d3d681c6414bd1c16c422afd2195

SHA1
f82a0a670fafc14ed50ec322c9edbdafe306fc3f

SHA256
a8bdf401c3d4a5072eb84efe9ec6a02141ea0e8af686a3efb43dd7f959dcd8f5

SHA512
1cced0c62855b7f520caf0d620765c74bdf7432438651d47797fa325e475b4f6697d356dd6ba140dff00f48360e662937c791decfbfab23da9e22b4a82d6d485

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4C4.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFC1C.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe
MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\craqonpl.2ld\gcleaner.exe
MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8-61773-09d-4c998-6c828c38ccea4\Daefomagaehy.exe
MD5
ea0bd77acb23c4beaf2171343655480d

SHA1
e21da1215c7dbffc136b926704756c7a0b2a4986

SHA256
7cb8a7f2fb3b2937b8134077f26137e2a6572c3008bb08dcbe2a71da0ab3d1e6

SHA512
cf5ec8af64338eadb30dcb2ce60d82f7792f82bd133843fac42e082b8193eab903216dc5e90471eeabf865dc6de8b8bf200e947b3d419996e971d7f213f3165d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8-61773-09d-4c998-6c828c38ccea4\Daefomagaehy.exe
MD5
ea0bd77acb23c4beaf2171343655480d

SHA1
e21da1215c7dbffc136b926704756c7a0b2a4986

SHA256
7cb8a7f2fb3b2937b8134077f26137e2a6572c3008bb08dcbe2a71da0ab3d1e6

SHA512
cf5ec8af64338eadb30dcb2ce60d82f7792f82bd133843fac42e082b8193eab903216dc5e90471eeabf865dc6de8b8bf200e947b3d419996e971d7f213f3165d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8-61773-09d-4c998-6c828c38ccea4\Daefomagaehy.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kenessey.txt
MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kyzhawituzhe.exe
MD5
25cb345482b86cc24a9eeae96834a813

SHA1
21c4c97889ff7f91b7ae95e67991074627b0c3a4

SHA256
ed25ff51f8b2a15a9c7165623b3353c0fa770a62fa9d2e087e9253df23bc5e67

SHA512
ba7cea0e2fbe7614ea3ff513b422f0bfb059b2d6ab46d4c7ea14f7334b9581e64add77dbcdd13a4c98c78798c2da2502b3422049020e4188b27af7b468518e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kyzhawituzhe.exe
MD5
25cb345482b86cc24a9eeae96834a813

SHA1
21c4c97889ff7f91b7ae95e67991074627b0c3a4

SHA256
ed25ff51f8b2a15a9c7165623b3353c0fa770a62fa9d2e087e9253df23bc5e67

SHA512
ba7cea0e2fbe7614ea3ff513b422f0bfb059b2d6ab46d4c7ea14f7334b9581e64add77dbcdd13a4c98c78798c2da2502b3422049020e4188b27af7b468518e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\df-569fe-ee8-55792-ff4e859100557\Kyzhawituzhe.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe
MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eufemrst.q1j\GcleanerEU.exe
MD5
3a9115aa34ddc3302fe3d07ceddd4373

SHA1
10e7f2a8c421c825a2467d488b33de09c2c2a14b

SHA256
080060800d33d4fa01099647797195995af436cbad0a5dc903a572b184b50634

SHA512
85fa6eddbaec2df843d623ddf88154cd2b62b9823c953b5659dc0464e1a47b90a877ca3681007561d2e1ccdd315e4f79ecf0285404868cc7cedd369ae28a586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-57T30.tmp\Fri192b9eeaa03b.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\46807GHF____.exe
MD5
07470f6ad88ca277d3193ccca770d3b3

SHA1
1d323f05cc25310787e87f4fa4557393a05c8c7f

SHA256
b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19

SHA512
b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\46807GHF____.exe
MD5
07470f6ad88ca277d3193ccca770d3b3

SHA1
1d323f05cc25310787e87f4fa4557393a05c8c7f

SHA256
b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19

SHA512
b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NDEI4.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NDEI4.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjur5uvc.fqj\installer.exe
MD5
c313ddb7df24003d25bf62c5a218b215

SHA1
20a3404b7e17b530885fa0be130e784f827986ee

SHA256
e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1

SHA512
542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
14ef50a8355a8ddbffbd19aff9936836

SHA1
7c44952baa2433c554228dbd50613d7bf347ada5

SHA256
fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

SHA512
ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xg3t5skf.zn3\anyname.exe
MD5
856636f3cfda4d284b6d8418772a61a6

SHA1
686a6e3c07ca8a669e86e4277a0e8bd1c2933af6

SHA256
0a19267cf3f96ebd3b14280657975a23d38df9590760f31c51fc3a1b84840830

SHA512
c405b84ab33ee803cf4f7f2dd385ba7e2e851fadeb13ecfd60e18ce6b5bc9b57134375c3029d4bcae9ce04da2863f23ed40be013d99fb1ef6252926ed39a7068

Download Submit
C:\Users\Admin\AppData\Local\Temp\xg3t5skf.zn3\anyname.exe
MD5
856636f3cfda4d284b6d8418772a61a6

SHA1
686a6e3c07ca8a669e86e4277a0e8bd1c2933af6

SHA256
0a19267cf3f96ebd3b14280657975a23d38df9590760f31c51fc3a1b84840830

SHA512
c405b84ab33ee803cf4f7f2dd385ba7e2e851fadeb13ecfd60e18ce6b5bc9b57134375c3029d4bcae9ce04da2863f23ed40be013d99fb1ef6252926ed39a7068

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD5
98e537669f4ce0062f230a14bcfcaf35

SHA1
a19344f6a5e59c71f51e86119f5fa52030a92810

SHA256
6f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735

SHA512
1ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Users\Admin\AppData\Local\Temp\INAFBAE.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Users\Admin\AppData\Local\Temp\MSI4C4.tmp
MD5
43d68e8389e7df33189d1c1a05a19ac8

SHA1
caf9cc610985e5cfdbae0c057233a6194ecbfed4

SHA256
85dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae

SHA512
58a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFC1C.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Users\Admin\AppData\Local\Temp\is-0P34H.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-0P34H.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-57T30.tmp\Fri192b9eeaa03b.tmp
MD5
6020849fbca45bc0c69d4d4a0f4b62e7

SHA1
5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9

SHA256
c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98

SHA512
f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb

Download Submit
\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\46807GHF____.exe
MD5
07470f6ad88ca277d3193ccca770d3b3

SHA1
1d323f05cc25310787e87f4fa4557393a05c8c7f

SHA256
b6c1a2841a02de3650633b8516f8ea7c9cfb0dc4ad0b307f6fa4d45ccac7aa19

SHA512
b47582f1230213a2f52f1f55fcb9b4390c52dfc6cc064415f097463bc28f5631962f98dc4fb576935d5304ad1249d28eff869727d1f425feb9821e9b120bcd80

Download Submit
\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HO6M6.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-NDEI4.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
14ef50a8355a8ddbffbd19aff9936836

SHA1
7c44952baa2433c554228dbd50613d7bf347ada5

SHA256
fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

SHA512
ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
14ef50a8355a8ddbffbd19aff9936836

SHA1
7c44952baa2433c554228dbd50613d7bf347ada5

SHA256
fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

SHA512
ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
14ef50a8355a8ddbffbd19aff9936836

SHA1
7c44952baa2433c554228dbd50613d7bf347ada5

SHA256
fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

SHA512
ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
14ef50a8355a8ddbffbd19aff9936836

SHA1
7c44952baa2433c554228dbd50613d7bf347ada5

SHA256
fde50eea631c01d46cbb95b6f4c2a7c834ce77184552f788242c5811ed76b8f9

SHA512
ccddf7b0610bcae4395a6aae7c32d03f23a40328b68d9f0246361e1af0d401ee444f178310910d15e7dbd3706a89ae4e5b7adbd972e1f50cd5a77515612f76dc

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
\Windows\Installer\MSI1BCC.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
\Windows\Installer\MSI1ECA.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI216A.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI22F1.tmp
MD5
0981d5c068a9c33f4e8110f81ffbb92e

SHA1
badb871adf6f24aba6923b9b21b211cea2aeca77

SHA256
b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

SHA512
59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

Download Submit
\Windows\Installer\MSI242A.tmp
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2

SHA1
4a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d

SHA256
73af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837

SHA512
3f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56

Download Submit
memory/472-68-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/472-65-0x0000000000000000-mapping.dmp

Download
memory/472-69-0x000000001C880000-0x000000001CB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1084-108-0x0000000000000000-mapping.dmp

Download
memory/1084-110-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1136-53-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1136-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1440-79-0x0000000000000000-mapping.dmp

Download
memory/1440-99-0x000000001CCC0000-0x000000001CFBF000-memory.dmp

Filesize
3.0MB

Download
memory/1440-87-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download
memory/1504-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1504-56-0x0000000000000000-mapping.dmp

Download
memory/1564-94-0x00000000742C1000-0x00000000742C3000-memory.dmp

Filesize
8KB

Download
memory/1564-86-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1564-76-0x0000000000000000-mapping.dmp

Download
memory/1696-106-0x0000000000000000-mapping.dmp

Download
memory/1808-116-0x00000000004D7000-0x00000000004F6000-memory.dmp

Filesize
124KB

Download
memory/1808-93-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/1808-88-0x0000000000000000-mapping.dmp

Download
memory/1808-115-0x00000000004D2000-0x00000000004D3000-memory.dmp

Filesize
4KB

Download
memory/1808-113-0x000000001C9B0000-0x000000001CCAF000-memory.dmp

Filesize
3.0MB

Download
memory/1808-95-0x000007FEEDAC0000-0x000007FEEEB56000-memory.dmp

Filesize
16.6MB

Download
memory/1944-183-0x0000000000000000-mapping.dmp

Download
memory/1972-117-0x0000000000A66000-0x0000000000A85000-memory.dmp

Filesize
124KB

Download
memory/1972-119-0x0000000000A85000-0x0000000000A86000-memory.dmp

Filesize
4KB

Download
memory/1972-105-0x000007FEEDAC0000-0x000007FEEEB56000-memory.dmp

Filesize
16.6MB

Download
memory/1972-118-0x000000001B0B0000-0x000000001B0C9000-memory.dmp

Filesize
100KB

Download
memory/1972-107-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/1972-102-0x0000000000000000-mapping.dmp

Download
memory/1976-174-0x0000000000000000-mapping.dmp

Download
memory/2044-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download
memory/2056-177-0x0000000000000000-mapping.dmp

Download
memory/2120-144-0x0000000000000000-mapping.dmp

Download
memory/2248-146-0x0000000000000000-mapping.dmp

Download
memory/2248-154-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/2264-149-0x0000000000000000-mapping.dmp

Download
memory/2272-182-0x0000000000000000-mapping.dmp

Download
memory/2292-151-0x0000000000000000-mapping.dmp

Download
memory/2344-179-0x0000000000000000-mapping.dmp

Download
memory/2428-156-0x0000000000000000-mapping.dmp

Download
memory/2460-184-0x0000000000000000-mapping.dmp

Download
memory/2536-121-0x0000000000000000-mapping.dmp

Download
memory/2604-141-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/2604-123-0x0000000000000000-mapping.dmp

Download
memory/2604-135-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/2652-125-0x0000000000000000-mapping.dmp

Download
memory/2708-128-0x0000000000000000-mapping.dmp

Download
memory/2708-136-0x0000000000170000-0x00000000001C7000-memory.dmp

Filesize
348KB

Download
memory/2772-166-0x0000000000000000-mapping.dmp

Download
memory/2788-134-0x0000000000000000-mapping.dmp

Download
memory/2840-138-0x0000000000000000-mapping.dmp

Download
memory/3064-143-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download