a040e4b0df412e40652c252c5b67d219c184d36640b020c9aba286ed8d1b4bd3

Analysis

max time kernel
97s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
24-04-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iobit-uninstaller_13-0-0-13_fr_322480.exe
Size

21.5MB
MD5

67da36aae779299ac1a9e744237560ac
SHA1

f87f534e51e0bd1ea97aa836f7dc6e909b04b6f3
SHA256

a040e4b0df412e40652c252c5b67d219c184d36640b020c9aba286ed8d1b4bd3
SHA512

e7ee762f6e9aba0ea951b602e0d1ea3baa3ac305c69ac9007c003aad14708fb51cf4cbf5aafbeb73cc0cf7db6b4c8df81d9dc706b478e1307c5b4dd507bf9b02
SSDEEP

393216:KDc+ZYJpuJBOQaeqjngH3wtdvY50O15f4xrBeHKe4IE2pjpcMNnMgTcF:J8YiSWegXwfvs0OjQZWg2pNcgFe

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

Processes:

library_ca.exePPUninstaller.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	library_ca.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	library_ca.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\SOFTWARE\Avira\AntiVirus	library_ca.exe
Key opened	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Avast Software\Avast	library_ca.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Avast Software\Avast	library_ca.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	library_ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense	PPUninstaller.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\NewTime = "2024-04-24 17:26:07:761"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ = "ExplorerWnd Helper"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\NoInternetExplorer = "1"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

iobit-uninstaller_13-0-0-13_fr_322480.tmplibrary_ca.exeCrRestore.exe

description	ioc	process
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-QGME4.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-HFO6L.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-2FB25.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_amd64\is-A7FOL.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\is-EK7I8.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-3VHEJ.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-TFBDP.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-8R1KR.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-LNJU2.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-N7KKK.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-G3O8H.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\RegDemoScan.log	library_ca.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-784BD.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-GIOS9.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-HOFII.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_ia64\is-MVF9B.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\scandata\ScanResult.html	library_ca.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-V9ORG.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-80PN1.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Database\is-5GJ5S.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_x86\IUProcessFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\IUFileFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\unins000.dat	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Backup\IObitUninstaler.exe	CrRestore.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-KPUHI.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-9LII1.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\is-1GE5M.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-G4C1P.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-C6HKV.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Database\is-RKGJP.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_x86\IURegistryFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\IUProcessFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-KH1F6.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-E7KSI.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-T6CV4.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_x86\IUProcessFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Database\is-BGP22.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_amd64\IUForceDelete.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_ia64\IUProcessFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_x86\is-DO2EL.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\RegRunLog.log	library_ca.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-JCQ44.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-63UCD.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Skin\is-QKPIV.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_ia64\is-TKHTS.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\database\Opt.dbd	library_ca.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\database\Reg.dbd	library_ca.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-JR6Q1.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_amd64\is-A37QL.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_amd64\IURegistryFilter.sys	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\is-6KLO7.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-K3PQ9.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-6V24I.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Skin\is-83GOR.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Database\is-VLIPV.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\is-8H0UI.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_ia64\is-JFE53.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Backup\cr.key	CrRestore.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-AO4U0.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-VC2S1.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\is-I2HO9.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-7LGAO.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Skin\is-96OOR.tmp	iobit-uninstaller_13-0-0-13_fr_322480.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\scandata\ScanResult.ini	library_ca.exe

Executes dropped EXE 19 IoCs

Processes:

iobit-uninstaller_13-0-0-13_fr_322480.tmpSetup.exeiobit-uninstaller_13-0-0-13_fr_322480.tmpiushrun.exeiush.exeIUService.exeICONPIN64.exelibrary_ca.exeCrRestore.exePPUninstaller.exeIObitUninstaler.exeUninstallPromote.exeiush.exeIObitUninstaler.exeIObitUninstaler.exeIObitUninstaler.exeIObitUninstaler.exeUninstallMonitor.exeIObitUninstaler.exe

pid	process
1528	iobit-uninstaller_13-0-0-13_fr_322480.tmp
4944	Setup.exe
3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp
1132	iushrun.exe
2792	iush.exe
5112	IUService.exe
3992	ICONPIN64.exe
4728	library_ca.exe
2316	CrRestore.exe
1504	PPUninstaller.exe
4700	IObitUninstaler.exe
5664	UninstallPromote.exe
5812	iush.exe
3904	IObitUninstaler.exe
3988	IObitUninstaler.exe
844	IObitUninstaler.exe
1844	IObitUninstaler.exe
3184	UninstallMonitor.exe
2900	IObitUninstaler.exe

Loads dropped DLL 64 IoCs

Processes:

iushrun.exeiush.exeregsvr32.exeIUService.exeregsvr32.exeregsvr32.exeregsvr32.exeExplorer.EXElibrary_ca.exeCrRestore.exePPUninstaller.exeIObitUninstaler.exeiush.exeIObitUninstaler.exe

pid	process
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
2792	iush.exe
2792	iush.exe
3736	regsvr32.exe
5112	IUService.exe
5112	IUService.exe
5112	IUService.exe
5112	IUService.exe
5112	IUService.exe
808	regsvr32.exe
3592	regsvr32.exe
1312	regsvr32.exe
2792	iush.exe
2792	iush.exe
3392	Explorer.EXE
3392	Explorer.EXE
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
5812	iush.exe
5812	iush.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe
3904	IObitUninstaler.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUnstaler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUnstaler\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\PROGRA~2\\IObit\\IOBITU~1\\UNINST~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\UninstallExplorer.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-CQG3E.tmp\iush.exe	nsis_installer_2

Modifies registry class 53 IoCs

Processes:

iush.exeregsvr32.exeregsvr32.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\ShellFolder	iush.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\ShellFolder\Attributes = "48"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\ = "IObitUnstaler Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUnstaler\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command\ = "\"C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IObitUninstaler.exe\" control_statistics"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUnstaler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ = "ExplorerWnd Helper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}\ = "PfShellExtension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL\AppID = "{59A55EF0-525F-4276-AB62-8F7E5F230399}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\IObitUnstaler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\IObitUnstaler\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IObitUninstaler.exe,0"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ProgID\ = "UninstallExplorer.ExplorerBtn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObitUnstaler	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IObitUnstaler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\ = "PfShellExtension 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UninstallExplorer.ExplorerBtn\Clsid\ = "{10921475-03CE-4E04-90CE-E2E7EF20C814}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UninstallExplorer.ExplorerBtn\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObitUnstaler\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\ = "IObit Uninstaller"	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\InfoTip = "Uninstall/Remove programs, clean browser plugins"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\PROGRA~2\\IObit\\IOBITU~1\\UNINST~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UninstallExplorer.ExplorerBtn	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\UninstallExplorer.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IObitUnstaler\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UninstallExplorer.ExplorerBtn\ = "ExplorerWnd Helper"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeiushrun.exeiush.exeIUService.exelibrary_ca.exeCrRestore.exePPUninstaller.exepowershell.exeIObitUninstaler.exeiobit-uninstaller_13-0-0-13_fr_322480.tmpUninstallPromote.exe

pid	process
4944	Setup.exe
4944	Setup.exe
4944	Setup.exe
4944	Setup.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
1132	iushrun.exe
2792	iush.exe
2792	iush.exe
2792	iush.exe
2792	iush.exe
5112	IUService.exe
5112	IUService.exe
4728	library_ca.exe
4728	library_ca.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
2316	CrRestore.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
1504	PPUninstaller.exe
3108	powershell.exe
3108	powershell.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
4700	IObitUninstaler.exe
5112	IUService.exe
5112	IUService.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
4728	library_ca.exe
3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp
3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe
5664	UninstallPromote.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3392 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEpowershell.exeIObitUninstaler.exelibrary_ca.exe

description	pid	process
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeDebugPrivilege	4700	IObitUninstaler.exe
Token: SeDebugPrivilege	4728	library_ca.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Setup.exeiushrun.exeiobit-uninstaller_13-0-0-13_fr_322480.tmpiush.exeICONPIN64.exeExplorer.EXECrRestore.exePPUninstaller.exeIObitUninstaler.exeiush.exeUninstallMonitor.exe

pid	process
4944	Setup.exe
4944	Setup.exe
1132	iushrun.exe
3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp
2792	iush.exe
3992	ICONPIN64.exe
3392	Explorer.EXE
2316	CrRestore.exe
1504	PPUninstaller.exe
4700	IObitUninstaler.exe
5812	iush.exe
3184	UninstallMonitor.exe
3184	UninstallMonitor.exe
3184	UninstallMonitor.exe
3184	UninstallMonitor.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

Explorer.EXEUninstallMonitor.exe

pid	process
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3392	Explorer.EXE
3184	UninstallMonitor.exe
3184	UninstallMonitor.exe
3184	UninstallMonitor.exe
3392	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PPUninstaller.exeExplorer.EXE

pid process

1504 PPUninstaller.exe
3392 Explorer.EXE

pid	process
1504	PPUninstaller.exe
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iobit-uninstaller_13-0-0-13_fr_322480.exeiobit-uninstaller_13-0-0-13_fr_322480.tmpSetup.exeiobit-uninstaller_13-0-0-13_fr_322480.exeiobit-uninstaller_13-0-0-13_fr_322480.tmpiush.exeregsvr32.exeregsvr32.exeICONPIN64.exePPUninstaller.execmd.exeExplorer.EXEpowershell.exe

description	pid	process	target process
PID 1088 wrote to memory of 1528	1088	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 1088 wrote to memory of 1528	1088	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 1088 wrote to memory of 1528	1088	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 1528 wrote to memory of 4944	1528	iobit-uninstaller_13-0-0-13_fr_322480.tmp	Setup.exe
PID 1528 wrote to memory of 4944	1528	iobit-uninstaller_13-0-0-13_fr_322480.tmp	Setup.exe
PID 1528 wrote to memory of 4944	1528	iobit-uninstaller_13-0-0-13_fr_322480.tmp	Setup.exe
PID 4944 wrote to memory of 2928	4944	Setup.exe	iobit-uninstaller_13-0-0-13_fr_322480.exe
PID 4944 wrote to memory of 2928	4944	Setup.exe	iobit-uninstaller_13-0-0-13_fr_322480.exe
PID 4944 wrote to memory of 2928	4944	Setup.exe	iobit-uninstaller_13-0-0-13_fr_322480.exe
PID 2928 wrote to memory of 3700	2928	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 2928 wrote to memory of 3700	2928	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 2928 wrote to memory of 3700	2928	iobit-uninstaller_13-0-0-13_fr_322480.exe	iobit-uninstaller_13-0-0-13_fr_322480.tmp
PID 3700 wrote to memory of 1132	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iushrun.exe
PID 3700 wrote to memory of 1132	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iushrun.exe
PID 3700 wrote to memory of 1132	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iushrun.exe
PID 3700 wrote to memory of 2792	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 3700 wrote to memory of 2792	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 3700 wrote to memory of 2792	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 2792 wrote to memory of 3736	2792	iush.exe	regsvr32.exe
PID 2792 wrote to memory of 3736	2792	iush.exe	regsvr32.exe
PID 2792 wrote to memory of 3736	2792	iush.exe	regsvr32.exe
PID 2792 wrote to memory of 808	2792	iush.exe	regsvr32.exe
PID 2792 wrote to memory of 808	2792	iush.exe	regsvr32.exe
PID 2792 wrote to memory of 808	2792	iush.exe	regsvr32.exe
PID 3736 wrote to memory of 3592	3736	regsvr32.exe	regsvr32.exe
PID 3736 wrote to memory of 3592	3736	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1312	808	regsvr32.exe	regsvr32.exe
PID 808 wrote to memory of 1312	808	regsvr32.exe	regsvr32.exe
PID 2792 wrote to memory of 3992	2792	iush.exe	ICONPIN64.exe
PID 2792 wrote to memory of 3992	2792	iush.exe	ICONPIN64.exe
PID 3992 wrote to memory of 3392	3992	ICONPIN64.exe	Explorer.EXE
PID 3700 wrote to memory of 4728	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	library_ca.exe
PID 3700 wrote to memory of 4728	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	library_ca.exe
PID 3700 wrote to memory of 4728	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	library_ca.exe
PID 3700 wrote to memory of 2316	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	CrRestore.exe
PID 3700 wrote to memory of 2316	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	CrRestore.exe
PID 3700 wrote to memory of 2316	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	CrRestore.exe
PID 3700 wrote to memory of 1504	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	PPUninstaller.exe
PID 3700 wrote to memory of 1504	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	PPUninstaller.exe
PID 3700 wrote to memory of 1504	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	PPUninstaller.exe
PID 1504 wrote to memory of 4288	1504	PPUninstaller.exe	cmd.exe
PID 1504 wrote to memory of 4288	1504	PPUninstaller.exe	cmd.exe
PID 1504 wrote to memory of 4288	1504	PPUninstaller.exe	cmd.exe
PID 4288 wrote to memory of 3108	4288	cmd.exe	powershell.exe
PID 4288 wrote to memory of 3108	4288	cmd.exe	powershell.exe
PID 3392 wrote to memory of 4700	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 4700	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 4700	3392	Explorer.EXE	IObitUninstaler.exe
PID 3108 wrote to memory of 1880	3108	powershell.exe	chcp.com
PID 3108 wrote to memory of 1880	3108	powershell.exe	chcp.com
PID 3700 wrote to memory of 5664	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	UninstallPromote.exe
PID 3700 wrote to memory of 5664	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	UninstallPromote.exe
PID 3700 wrote to memory of 5664	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	UninstallPromote.exe
PID 3700 wrote to memory of 5812	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 3700 wrote to memory of 5812	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 3700 wrote to memory of 5812	3700	iobit-uninstaller_13-0-0-13_fr_322480.tmp	iush.exe
PID 4944 wrote to memory of 3904	4944	Setup.exe	IObitUninstaler.exe
PID 4944 wrote to memory of 3904	4944	Setup.exe	IObitUninstaler.exe
PID 4944 wrote to memory of 3904	4944	Setup.exe	IObitUninstaler.exe
PID 3392 wrote to memory of 3988	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 3988	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 3988	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 844	3392	Explorer.EXE	IObitUninstaler.exe
PID 3392 wrote to memory of 844	3392	Explorer.EXE	IObitUninstaler.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe
"C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\is-58590.tmp\iobit-uninstaller_13-0-0-13_fr_322480.tmp
"C:\Users\Admin\AppData\Local\Temp\is-58590.tmp\iobit-uninstaller_13-0-0-13_fr_322480.tmp" /SL5="$60170,21914979,137216,C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\is-4JO6P.tmp\IUInstaller\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4JO6P.tmp\IUInstaller\Setup.exe" /setup "C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe" "" "/Ver=9.6.0.3"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe
"C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe" /verysilent /NORESTART /DIR="C:\Program Files (x86)\IObit\IObit Uninstaller\" /TASKS="desktopicon, " /do /dt ""
5⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\is-TLI6A.tmp\iobit-uninstaller_13-0-0-13_fr_322480.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TLI6A.tmp\iobit-uninstaller_13-0-0-13_fr_322480.tmp" /SL5="$60222,21914979,137216,C:\Users\Admin\AppData\Local\Temp\iobit-uninstaller_13-0-0-13_fr_322480.exe" /verysilent /NORESTART /DIR="C:\Program Files (x86)\IObit\IObit Uninstaller\" /TASKS="desktopicon, " /do /dt ""
6⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\is-CQG3E.tmp\IUInstaller\iushrun.exe
"C:\Users\Admin\AppData\Local\Temp\is-CQG3E.tmp\IUInstaller\iushrun.exe" /ii "C:\Program Files (x86)\IObit\IObit Uninstaller"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1132

C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe" /if "C:\Program Files (x86)\IObit\IObit Uninstaller" /dt /insur=
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
9⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:3592

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll"
9⤵
- Installs/modifies Browser Helper Object
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1312

C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.exe" Pin "C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3992

C:\Program Files (x86)\IObit\IObit Uninstaller\library_ca.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\library_ca.exe" /IU /savefile
7⤵
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files (x86)\IObit\IObit Uninstaller\CrRestore.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\CrRestore.exe" /Backup
7⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe" /R
7⤵
- Checks for any installed AV software in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd.exe /c %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "& {1...10 |chcp 65001|Get-StartApps| where AppID -Like "*!*" |format-list|Out-File -encoding utf8 $env:Temp\StartApps.txt}"
8⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "& {1...10 |chcp 65001|Get-StartApps| where AppID -Like "*!*" |format-list|Out-File -encoding utf8 $env:Temp\StartApps.txt}"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 65001
10⤵
PID:1880

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallPromote.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallPromote.exe" /INSTALL un9
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5664

C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe" /rp
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5812

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe" /setup
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3904

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4700

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
- Executes dropped EXE
PID:3988

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
- Executes dropped EXE
PID:844

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
- Executes dropped EXE
PID:1844

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe" /srvupt
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IObit\IObit Uninstaller\CrRestore.exe
Filesize
834KB

MD5
b983f8a2d37e5e4e84422bf12bcb024c

SHA1
ad081022d5f89444278b582ae1a8a7d199a017ac

SHA256
1b63ec30ed5eb18407fb1a2777dcfd7ceb934b92c2cddf7f2cbcc3abf2911d25

SHA512
25e277ee48d1cd14e7ef57a1045512a108982475e46a7c27b4ec2e60df86c7aa5d102e9cbeb4002f5f6c58a74faf2aca7858ad711216793c173420d4b1d3850b

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\Database\Opt.dbd
Filesize
27KB

MD5
ff262340e12be0e9a06b3b0ad4f02673

SHA1
0b12a429fb0a8ddd30db528378219f6bd0466c3b

SHA256
abeb1ffc33078a2c717860c64666bafabfd7d8789fcdb5007b08d9a4568f07a4

SHA512
fc2079abbf65b800f03952ac72479d1031aae21552f49daad09bcd19df665893c48b56864da91dc0720d0667aebd4d001373c50e1657babf07d6b4d3f2ce2427

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\Database\PriTemp.dbd
Filesize
32KB

MD5
96bf1625453a5d6d1d8265b9377018f7

SHA1
e64577f9c77c20c6c777670844c23fcd62771d74

SHA256
e678b6211fbbe660345782322281de1c197ca3811f9de82d7bfa1bb13c175b07

SHA512
e499e71ce18eb7a87b573a17389e6ecf52e95fc5bf962ed5abcde35ce50c6f5f4e8a6423c82694d6ccdc0650f466832f04b0f4618a4e135bf9c44bb24565f91d

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\Database\Reg.dbd
Filesize
21KB

MD5
87708d3d42f910fd04794ba3b08a498d

SHA1
d7243ea6e47ee043f1fd6b2946025eb0cdb985f4

SHA256
4e8c5bfe709ac1efb63dd38bad78daf40f846b8461c1991c1ec9b978b59ae7e1

SHA512
38edc0fcdd6a47ccc5bccf75f59498e8d97b8bd24a2b5c18dc12b96edc5f1cebcba1e112274de0444ffc342f98fd87f1cd13ee7c2037d826b9ce3eaefc02ccb4

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
Filesize
5.8MB

MD5
b89e8cb797d8764d7fada94743c95d41

SHA1
fe3d4543973954ee2093bf0dedb01890debf2882

SHA256
cdfd10fa556482c0b9cfd3a283c19bab88560f8987b03e9705dd8e08fed2c58d

SHA512
1ebbdda32f207ae021af6f61f069cf3f850a243d6b99551828b0e6fb253062ddaab1d1fac097ddb484f2d3e938a8c98d918bb689c38c08b3aa94a405a1e805fa

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll
Filesize
275KB

MD5
08f21fd0132903ac3ae874a0570c95c5

SHA1
56b317253c59a399bc76183d24f4299774ffe7a8

SHA256
98c8db944a14732325626168665e89b629d5b164dc652c9946376eeec6719e41

SHA512
7786c6cc361addce8c072836e268e809de064bfed046ecdf901520dd595bf455309416c37a3e2ac5cd8e1b686e1eb7880be513526107bc41bf9367388c2ae351

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
Filesize
153KB

MD5
ab08856057cda9b5c157713c9afb29ba

SHA1
30275f2a7d25c12834c44c0f1040f7c810fe1fd9

SHA256
74816411153f7db9195d6668adf78a347f7766fefda23b9f347a7c22392d7352

SHA512
e00cecdffeef9feafce72362efaa064a93f926036223553cdb2cba9c2da3e925482854baaf3c3759e9f125857212ba44a018dba77c11a8fef47430ebbd3ad387

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\Lang.dat
Filesize
64B

MD5
57e662a5837b148d81299227db5466fc

SHA1
2b97cf3c51dbedc7332cc197eadd8a471bf0b537

SHA256
8fafe1313c12256581c7698302d8eab1d2a21739ee57adeb850260d0df22503c

SHA512
3028a8125b144a221872de60d33352b0720711019e04688f99670b8f6180647020f38b8be60a7b14d06e3fd9ab0210bd8e2deac5759702d66336b3852eda1593

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\Language\English.lng
Filesize
115KB

MD5
21fb2dd54fb0349bdef7f31950228d5e

SHA1
5001581c6a67c368ca0c0a06d136bca34767673d

SHA256
e8f471ac958dde188fe26c2091972165fe96912287c20edc907e794ef68f14b6

SHA512
07b67e77aaae7cff702c985e692cca74c231447b06cd6365fff7d0fd784493243469c58d3b472fd43a223d36ebd8f5bc8db907ee5174651fac082c743c1d5d76

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe
Filesize
1.2MB

MD5
349b0643202631dcbe40b347769a4d47

SHA1
60ed1ee9a2aa70bc8c357d5e325daf3f00553f4d

SHA256
c0f0ffe9ac70c8dfbf0669839be8b6d6b13bfbc2019775b52e023b88329ae1c7

SHA512
1f2cb8b0e1ea4a76a2f53973b5ead215aef99a3c7fd31376a7db986a9352cb89e80fa5e1f8dd4066bdace29187c2768bf02769b62e6658ec0ef1e7a6b6b36288

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\ProductStatistics.dll
Filesize
1.8MB

MD5
973aa3f2f86abfd9364a16dda77748aa

SHA1
63fd0799d891af057b65b49ea8e4c7dcaa7ecccd

SHA256
543afcabfbf980cfe945756250b0855387e6561bca31c3060085b960c109864d

SHA512
a805b39d524244e4bba9103757dba6fb83565330870dba4deaf424fc52346f7fe29463df6fb86d3e089c42e3bf935b84bc72738a75e95581f6315312669af56f

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\RegDemoScan.log
Filesize
3KB

MD5
b453282e1f610d786adf902c1895e6b7

SHA1
102e6d2bb766bae7917b09e11f6e4df4270e6a52

SHA256
d5d4bc49a5211c38024b70262b3374d2f8fa20eaa89226e079ff391a5b24ada4

SHA512
32efcb628fe117845d25cb7132dc599efb275efb41c0eeae01caf51048c2c7172849750fa76c62217d6d05f5432892bdde771af5d3a234c033aeb831a8ad7eb3

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\RegRunLog.log
Filesize
2KB

MD5
4cd0caf71b66283f5c8952a0de62fb7a

SHA1
3fcfa5fbc55162b8cead9d94d896eb806c834166

SHA256
342aed69c0a65c8b0d834faceefd06de41966e2c68a832132b3ea7b5cb8cd9c3

SHA512
7495c0b67d0ad4fefadc10997107b98e5f3de5ca4d4251ea0de497ffd2f99a326b9209b432e48d82b862cdeb954894f1f4d2929e43a978d6dfed08beadf709e8

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\RegisterCom.dll
Filesize
1003KB

MD5
3eaf568853ebd3b51bf2ed936e65ae48

SHA1
0a643c99d4698a774239acf77c7bc1632fb040bd

SHA256
713f038954fb9ef85840d95be41e76d1d406defa9df7e7669f39919b491e3dd3

SHA512
b3819a0a2ce5148a2a9f587fd541e4b1790c013fd3517f728f05563c943fb9700954f3aa8c9a58b5b5a22694fde8048442a3149ac657fc14bd52890df8889d9c

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.dll
Filesize
601KB

MD5
350000678a986412b578698f42ad7601

SHA1
4b6f778618ab25c636584667cba34609f2277bf6

SHA256
560ecbb3f14a045feae50d80dae8bc1fbafbb57b06d44ccbfefc841527c7d4e4

SHA512
e5dd595e0f1f93ced111a226e91a37fac2e75676f60f0d475435a1e1521b4173a414996b88cf374fc7f1b813a3d40d68c4cd9020ce19ec37f87e3e3adc39e008

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.exe
Filesize
571KB

MD5
596af9fb3d6eae8381ebe7ee0a8cbf69

SHA1
58d30770213440e25d20ff95349f4f633d707ea5

SHA256
b372b90825ee38094bfa8071efbbf2a450da47ccbeb4ae015a38aec5747dd40d

SHA512
61f379b27444ac2dd8410787a5cce69a0b1bf8734251535d417cce2730a80c295cdca24f94619597163a5b56207838ddb65719433410cd18685c1d8f9477de0a

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll
Filesize
2.4MB

MD5
05066aff4c5cedacbd35dae7b9ae7f62

SHA1
2335db652b28109dfb80b74e067974cd87a768b7

SHA256
050e79882e2c4fde169c8595baaf7cf24bb8ae3cdb6f8c65ced1a9670e762414

SHA512
da2ff93f25390f4f5e34e19b11ea3f1604cdfcf18f28b470dcd2d4849d1c209c5934f2a7f2c614bdd213afdcf8967a727d80035652ced9964b0562ef704b2a33

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallPromote.exe
Filesize
3.2MB

MD5
a0be5f43077c23010865ce0ac81d9b16

SHA1
13a6aa7061ef421716ce07e23bba9f73c83a3430

SHA256
675587c6a5cb2332fe7d873d59633269970ebf1c344d5285d0d76f43f11681a7

SHA512
8ee40348f2587549db4cb34ec572607f04ab54c4ec15a27a8329c288f61a2a7027bb7b09ea6f51031f340cbf52edc54965cf1af9b4fa110fac8ec4dcfee8993d

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\library_ca.exe
Filesize
3.1MB

MD5
c4fffd50899dcbedb8ae91b3315c94fa

SHA1
2443c4695fe8b26e4954a52c9718458ec17bd672

SHA256
bd234987fc3dd6936d34fa5e835b039fd8a9194619d357017c0cfcc431c43081

SHA512
f5be1e2eaf896213927a59dbc315e369cf07089edfd7f89fb34e0a369ada332aa7ebc1fe3f5e464700bacaaa60ee2c51988b907695a54454b656920e5010f734

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\madbasic_.bpl
Filesize
205KB

MD5
0470b3205faf06b0b807629c7462ea90

SHA1
b0b309ba97caca555c1c1edf90b7c777d0ee4deb

SHA256
50e8481906f27e92bb80f4b7139f90949b960b1b2898dd0f6875147f44d8ad20

SHA512
7aa09d6eca8fa7add3c9b81ba6196d3e2665ab93dffda3ac26a24e3b3745d8d1afb340ac41822979845701ed54459637ab2206c5597a2413a2af1d37f7c62f32

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\maddisAsm_.bpl
Filesize
58KB

MD5
61d323161f2cbc187e6a36a12a0734fa

SHA1
6f3b54a3860ed8cf5746516c86c4c75fcfc1e0ae

SHA256
fbb9b4f1944b82701c7c06971a24cfed09d6e7f4a0f1684eba49800e3396fe3a

SHA512
0f1f8e8fef47791e0e6a62b2b91aec7d014c98b0b576940d99a4a7f714747120927b96cc70fb7b25cfd43276db059b1a9e4b73b0d51c29b63eb8a40ee2afb63b

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\madexcept_.bpl
Filesize
431KB

MD5
8be2193312995c8a442e71dab101c021

SHA1
6cc4722f740724b62b29082c8d17ee7dcf5491a8

SHA256
774afb7dfb8bd192838890b1b522b3f05b3762d6db3f412df7a4f51ee6eb052b

SHA512
9900d52a06bfeb93970e15667e048e35f50debbf3b03f1d318ef0939877be870d507c98831b7a78b1f6ec69127552d1cba64cb33d1452514a87cf756f056796f

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\rtl120.bpl
Filesize
1.1MB

MD5
83ac415bcad54682d56dfee0066000e2

SHA1
916e00f9cfebe0bc1296d5b9e84b86d80548e800

SHA256
91ade0cbd518fd898f61b53d27f89c4ab64bc3dba22483a4b9b78d5826a333e4

SHA512
ca90a6026cb8265f23d7feb45b5caded216e87d72c4f2cc579e44c29ef7a213efbb54435551c0d1e44fe9979d54cbee91b1150eddb701ce89dec1555ec017703

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\scandata\ScanResult.ini
Filesize
65KB

MD5
e8777d0b57726476a817ad87b7bb1e0e

SHA1
984f0922ed760493392758091855afa0bafd0e62

SHA256
a4ffd2e6a6d8e891702c61f728b71408c78fb0b00b8d48aaa97700a54e81c0ad

SHA512
3b20b58297015be939a928b016bc1ffcffdd695bcdcdc70573d4049055f17bffac48d2a9e7eb9e1bd92984397342f2c6168a9dcdd24360681c116923f7d82e96

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\sqlite3.dll
Filesize
677KB

MD5
b3d2c44cb44f323210dd99c701daf877

SHA1
3dde51bdb4addbfb14162dc51fc84b10335ce0ac

SHA256
19f3bfcbaed4d727209df368909afdde92ef1e12587d3ebf3a2c233eceb93ce2

SHA512
5eae44c8758e664d36179c682abf8c1e3adf4c88013f51e86df08114ac90cd0fde89b838019e19ec73f9b0c35b108c423053ecb2bf36324651865fbef9d6d904

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\update\update.ini
Filesize
22KB

MD5
1ff245f44996dc03da2aa39e893c5749

SHA1
e92b5a489f3a216cb6a24dd5621061dbf96fd3f3

SHA256
f8474dc8f629bb5222cf0ad4a683e21072984a557772fb23f9d190f21e657aa3

SHA512
9ec13593b9bf1f3ff6c474e0f7170bb0f3771d54fd502747ad7cf78f2ba308c977e1caad1d5c661857a40ac759d28ee6526e71ca9aad67de5f065f8c492d3b4e

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\vcl120.bpl
Filesize
1.9MB

MD5
9cef56e9868e96afabb1fcd8758931b8

SHA1
8e99aa4839e6e29a4213ca0309c6ea02a46442f7

SHA256
28fdac79c3e1656e4c60de4b6bc6dca390ef5b86f58d75e1f352bc964a4efdcb

SHA512
b296b74c637d7db8bc82d98e794c8f27afba5e061d06c6bcbbd806eee511dcd2414a7d8505af0b4d71c96dada57126c38f83f13552079fec3c2e4aa1a647074f

Download Submit
C:\Program Files (x86)\IObit\IObit Uninstaller\winid.dat
Filesize
735B

MD5
11924c7529c26a5393cccd584105631a

SHA1
c6ff0791afcb663c9aa2039005c03deb4fdd9488

SHA256
073ae8dc706980e04bc81609fb3eff0a250a6a713be8d26ba28dd4e88633e4be

SHA512
8769f33e9ce6df6060690d951e111652582aadcb28b110131418ea0ba042fb03747b9b65f3865ea7a26e8468a64aa72db97f44819afc61fea9a56ba162c8b2fc

Download Submit
C:\ProgramData\IObit\IObit Uninstaller\IUService.ini
Filesize
56B

MD5
74b7cf8ea7679cc441f4a7475b2a597f

SHA1
c3292401c114bca23c4c37915baade94a9dc537b

SHA256
94c4b11aa0aeba5040a429e0633b418feb81efdf019fb98f8ce3e862a7265af4

SHA512
fc65a8acc2396e5f77e542ac0bb87e5d332e40f12515d05fdc8c71935c831781d0ad6762e807ec5074d9ffbc8c6a981d41e0b5275c00a4a5c1c09b786b376517

Download Submit
C:\ProgramData\IObit\Install.ini
Filesize
91B

MD5
da1fee630861d9a27932d5b7c37d26b8

SHA1
a32fe9c324024b5c9abb307147189b292dbd57be

SHA256
5551116611d2e6cde71f37b832c82657476bcc9c59b10af624e6a2295f77fd58

SHA512
b9466b9b1810af8f98157b0c5be6023a9ca3f2a738073ee4456d9752a041f979584073b65f3b37be4ba8c5387baac4bd172f7dcb50a2dbbac8c332e07e0a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
6c14da43f40018044965d1ac9a1f851c

SHA1
fc821b1b1a7cf0d870e63e67fef71a4ad71db118

SHA256
ddbff2ea616f627994b07f10e76cbbcc2cf6035bf5644019edaf6520016347e9

SHA512
ad9f9932107e89b49785fd3f2c205bfed280b48a1ff0d26f68667728c28a1eba077331aa2d5d3ca19397e835c9b0a0669586ae0850482ecbd38cf327de0515ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commu.ini
Filesize
231B

MD5
3f2a5fc26632731969d9bc545260d6d2

SHA1
262e0c02c5cd962ca3d5d7750ca79f8d7570dd86

SHA256
8f7553087d6ddca8e4573b48600836de18376ac368115d62d03fad681b359d2d

SHA512
7eb85faa4553653f226acc54c9a11b4558a1a3249bb5d1b5ed1e62333f0fcf170620a9e395b9997a1ab04f1ffa5d182946dc1bf24cc3b6e1eebe105c22ab602e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempMain.ini
Filesize
38B

MD5
48211137154c1397270afc6f7c5862ee

SHA1
e57513b49d794b1839adf8c6d0fce847b437958e

SHA256
dfacb15bf131f33969f4aa1467cc9499f2c518071eed16ce359ed6467ae14e94

SHA512
d7d04b149d352b15c2616278e15cd08060c4ec675c824f82be7f328b1a487bc232d86f202adcf9b3e7d6895b8f786d20597dcf9a11f023e895f3934f13658121

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hn4lzkrz.0yj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\filectl.dll
Filesize
63KB

MD5
ac33819578af85cefcfd73cbd99821f4

SHA1
1499393c24ee2a50aa92a21fd8d88c86552321d3

SHA256
63ed2a1c8f49336a005428fb59c3304cb69c073d60e497e83e81ad7ef23f9f37

SHA512
4e15a2ccf3f21fb1900ffb956b2a2356ce975a21ff1efea9784f8efc4c34b2308ae86b8d5c8759f177a8b79d116511c758b8df171e6efc2b9479cf64a76dd7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4JO6P.tmp\Setup.exe
Filesize
6.1MB

MD5
b68b4f5b31a3b3caf9151346b720d54a

SHA1
f7deda411c50a18577ef75a499af6bb4da1cb4b5

SHA256
bcb695da8c9a3b3882e8896ccd7d2d5532417a9f247a963053933a69d1de6865

SHA512
5fd8d218b219137d6397e87a9c953de06f6dbf4f80ab14200cfcf4a977c2fddd4dd16007469a6ffc756d6dc9e7c5ef9c388929555fd63256b99b034e0f446182

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-58590.tmp\iobit-uninstaller_13-0-0-13_fr_322480.tmp
Filesize
1.2MB

MD5
7d3f62a9d1a1b6a0ef32a4f4f57f9184

SHA1
0d7a1b42b8bab72f72a590b44b0b73c31bd2bf92

SHA256
552891e5a459be9cfe618eb72f0751a66b1cd134a4fb0f0f9671cdf1c119867a

SHA512
9f8880957b9cf2fbbbf0b7f2fa5a2f836c3855222ad0b0bebf22e2844e2bf958ab1dce2c40e3e5f017215ef713964936090540c8f67766742c76eab55dd7838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CQG3E.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CQG3E.tmp\iush.exe
Filesize
4.0MB

MD5
c422315f45f5a17d775739a5f6af9404

SHA1
57b2a9009a4b6783e9dba5ff9f85ea6999c03ef3

SHA256
5e564954620535f2c9e070710f72772657520bd206efdd9d51feb6db40593907

SHA512
22cc6fc7d4cd2f66f4652f96f2c6b9d0aeac956a2fc6f2264424fa0b9d75672bf80c99eb7f78d69901017da70e1f726558caa11bb971cd02b909e5d86fb22d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpb.cfg.45406.7263680208.ini
Filesize
6KB

MD5
a91a30a4bac7b92c0415ba6822334704

SHA1
a1d93de76de557c41383c937ec54b555eb6ee541

SHA256
b44b2c4a718d87cbbb0b5199bd5d9d126dda8c34c431b10f2b31d7752700b00d

SHA512
6629054498a57f5f8ce76f24fbf5fcc05531a4b13c1dca99b5a9d97d58aaa5063bb124617c270cd5010c36ceb4e611b898d7a5de33037b37f637008a360b3c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgfpctl.dll
Filesize
524KB

MD5
8e5e15bf48ea6e53cff7bffa4d76ecaf

SHA1
fe44a1c730687c4ac52d7f28c5232df64d629a8c

SHA256
addd846ee0dfca4a2b8ca2b2b5f72294568a8016d67ce5769d108fd6dc9e905a

SHA512
d5b2223d5f9e8d6a0de20e979bd0c78910f9b3810dad1e620cb1d151aebe4c64bce88211693dc6b56c37f4bbafebbe928f32f8ee0d679b87c5008026d723f823

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller\Main.ini
Filesize
197B

MD5
0bd68432121b1789ca4f3de0f20bd171

SHA1
13275f5f50f6a757fd942bf5a226686082893438

SHA256
d11f163d49c3d782a0e9153fccda72cac9c2054cbecdbd32d35f564441f2255a

SHA512
883bc181e31a697393baf39372db608c2eb611d9927568b2fa20d7ccaf79e00a849b48fd242a4ed356f7769f4a71cc92b0a6bd9d9017cb94c0063ec58d71ca5d

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller\Main.ini
Filesize
422B

MD5
9447bb869ddf42e26fdafb9bae40b959

SHA1
17addebb63cbd7b2e7805bd6b357c5b1ed8a868d

SHA256
90912dc98da207df71eccfa521ed168fc2c9a8f62789948d07afa130789fe9d8

SHA512
cba18a5b5a909426172d3696ed0e32fc59060c119b3a8316f85f2b88b51dc2071320cf9284060e85ec3b6feafd3c168b4c703743496a6f90f92ffa97172f88c4

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller\Main.ini
Filesize
72B

MD5
88501ec72956dbe846c304cf908f730c

SHA1
6cdf6b6ba21873be2f7dd5e84b706240ae94c288

SHA256
e1ba2dbd151cba38fb46d0946a185bf70eb45e49397bd164c8583f4cf5338894

SHA512
3c13d2c316b03b5daa881e53363d0c5216ae02092e51ec52ed0e2e17646f1bf2d12a987556a39e4a434593ce4af0e681dbba5f85b773993b6c8d3d27486f682f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Programs.lnk
Filesize
1KB

MD5
09dde4602f1307765f09ae20b10c47e1

SHA1
ea658f8fe1ebbee60d152c7d33627cba1f63268e

SHA256
83a4b4eece32a8ff292b440926c91b838acc5af057de6449627fc3b5ba26ea00

SHA512
920ec0166ee6eb3ee2659b7dc56840837d4a34af13f7e1a55a24b2367336b7a4adcebcba9f1057b1f83436b90e119f3f3f85102192f29ddd7345e5595b0565bb

Download Submit
C:\Users\Public\Desktop\IObit Uninstaller.lnk
Filesize
1KB

MD5
cc825d836078adeef0318ef832513d02

SHA1
246e8e0623456b4b03e6120113a8c0eb136fc323

SHA256
ec4a8563a2ec69efef784eeec8556537f76d6255c7c897a6df5c5b224e72bb5e

SHA512
cccc7b4a1ecfa30efd694a6baac9586d923a1f790cd9f5e99c734b6dd0f4908c4f6f90eaced76542878e1d756ff0805d550740521519d1d1b78dd80c3a8aaaf0

Download Submit
memory/844-1261-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/844-1270-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/844-1268-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/844-1265-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1088-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1088-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-86-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/1132-84-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/1132-77-0x00000000041E0000-0x000000000426A000-memory.dmp

Filesize
552KB

Download
memory/1132-69-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1504-1100-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1504-1102-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1504-1105-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1504-1106-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/1504-1104-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1504-535-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1504-536-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/1504-537-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1504-1101-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1504-539-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/1504-1103-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1504-534-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1528-26-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1528-6-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2316-518-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2316-515-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2316-521-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2316-520-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2316-519-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2316-507-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2316-517-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2316-513-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2316-516-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2792-395-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2792-456-0x0000000008FB0000-0x00000000090B3000-memory.dmp

Filesize
1.0MB

Download
memory/2792-400-0x0000000004200000-0x00000000043D7000-memory.dmp

Filesize
1.8MB

Download
memory/2792-403-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2792-439-0x0000000008FB0000-0x00000000090B3000-memory.dmp

Filesize
1.0MB

Download
memory/2792-450-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/2792-451-0x0000000004200000-0x00000000043D7000-memory.dmp

Filesize
1.8MB

Download
memory/2928-1154-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2928-458-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2928-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3108-541-0x00007FFD23320000-0x00007FFD23DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3108-543-0x00000240BAF60000-0x00000240BAF70000-memory.dmp

Filesize
64KB

Download
memory/3108-553-0x00000240D36B0000-0x00000240D36D2000-memory.dmp

Filesize
136KB

Download
memory/3108-635-0x00007FFD23320000-0x00007FFD23DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3108-542-0x00000240BAF60000-0x00000240BAF70000-memory.dmp

Filesize
64KB

Download
memory/3108-611-0x00000240D3730000-0x00000240D373A000-memory.dmp

Filesize
40KB

Download
memory/3700-49-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3700-495-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3700-642-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3700-1153-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3904-1229-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3904-1233-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/3904-1226-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3904-1231-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3904-1225-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/3988-1244-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3988-1246-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3988-1247-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3988-1241-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/3992-485-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4700-561-0x0000000004C20000-0x0000000004DF7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-557-0x0000000000F90000-0x0000000001018000-memory.dmp

Filesize
544KB

Download
memory/4700-559-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/4700-563-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/4700-571-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/4700-1163-0x00000000045A0000-0x00000000046A3000-memory.dmp

Filesize
1.0MB

Download
memory/4700-558-0x00000000045A0000-0x00000000046A3000-memory.dmp

Filesize
1.0MB

Download
memory/4700-591-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4700-1164-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/4700-1162-0x0000000000F90000-0x0000000001018000-memory.dmp

Filesize
544KB

Download
memory/4700-1161-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/4700-1160-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/4700-1158-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/4700-1157-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/4700-1156-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4700-1155-0x0000000000400000-0x0000000000A08000-memory.dmp

Filesize
6.0MB

Download
memory/4728-1090-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/4728-1092-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/4728-512-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/4728-497-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4728-1091-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/4728-1088-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/4728-560-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4728-610-0x0000000004050000-0x0000000004051000-memory.dmp

Filesize
4KB

Download
memory/4728-643-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/4728-1086-0x0000000000400000-0x0000000000758000-memory.dmp

Filesize
3.3MB

Download
memory/4728-1085-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/4728-1089-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/4944-394-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/4944-40-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/4944-32-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4944-33-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4944-31-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/4944-1115-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/4944-30-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/4944-1221-0x0000000004430000-0x0000000004440000-memory.dmp

Filesize
64KB

Download
memory/4944-422-0x0000000000400000-0x0000000000A6E000-memory.dmp

Filesize
6.4MB

Download
memory/5112-428-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/5112-427-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5112-1117-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/5112-1116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5112-1118-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/5112-1119-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/5112-1121-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/5112-423-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/5664-1141-0x0000000000B80000-0x0000000000F00000-memory.dmp

Filesize
3.5MB

Download
memory/5664-1122-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/5664-1132-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/5812-1148-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/5812-1144-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5812-1143-0x00000000041E0000-0x00000000043B7000-memory.dmp

Filesize
1.8MB

Download
memory/5812-1142-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5812-1146-0x0000000000400000-0x000000000084F000-memory.dmp

Filesize
4.3MB

Download
memory/5812-1147-0x00000000041E0000-0x00000000043B7000-memory.dmp

Filesize
1.8MB

Download
memory/5812-1202-0x00000000041E0000-0x00000000043B7000-memory.dmp

Filesize
1.8MB

Download