Malware Analysis Report

2024-09-23 13:15

Sample ID 240612-2dx93ashnh
Target Movavi_Screen_Recorder_22.3.0.exe
SHA256 88db32782a4c86724464594b9d184ec8db07d707a2b5d4f0a5792b797f0a3d3a
Tags
discovery persistence bootkit evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

88db32782a4c86724464594b9d184ec8db07d707a2b5d4f0a5792b797f0a3d3a

Threat Level: Likely malicious

The file Movavi_Screen_Recorder_22.3.0.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence bootkit evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Runs .reg file with regedit

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 22:28

Reported

2024-06-12 22:32

Platform

win7-20240419-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\movavi_srecorder_22.0.0_screenrecorder C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000955f18cd2fde94e4d63c169adc2a511e554e27f868e61d94fdf5fc0ebb6b8756000000000e80000000020000200000009889c9e2eed912c5448e9ee09def9bd107c238c390e56d40ba9a268876cba5d720000000ed4bc445aca6f36ebf5d1534752e3ddca220097aad76b67fd6ae9151d2e75f01400000003ebb6fc4be1e98711c66ef6931c90247a04b9bf0cb60f2ae6708e7d962abe0bfcf1f341906ff5285b145c9792860e182450dacd7820015c4ca169ad738ee1485 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000ad1779ac2f519b41297759ecc67162da36d641eb0b4490c589eb1a03168f620d000000000e800000000200002000000079253c5113df4cafec8218cb5a3bf9a5bf9aa35c3303918eb6f7a48860ccca94900000009428a66d1a0b37237153fa60f5ad51518dc980d882d687d5cc91663d557f7f8da1b37f185b4fd8984e7f091f37ea6b694a0de981585bc3b5bcbbbe00675a10582c2f5e7a7d61712d578dd9e269a09b6a82707a33601c04b3d742215084346726bff6bd16a0e218b3de4f9b0800df3a7de378cc02273d1d47e8dd949146d96c39cde24999f5feca1af7e2b291a138b08240000000adcc3c4a69810813fc05356d8f2ca186cfdc8990430b42acfe356e63566bd2d5ab52c5f95c704c6cca9277dd72daf53a75f2b6cef190e6acd8aea405d9e789bd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3764F8F1-290B-11EF-9A67-52FD63057C4C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e083311d18bdda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 1680 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 3048 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 3048 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files\Internet Explorer\iexplore.exe
PID 3048 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files\Internet Explorer\iexplore.exe
PID 3048 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files\Internet Explorer\iexplore.exe
PID 3048 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files\Internet Explorer\iexplore.exe
PID 624 wrote to memory of 1852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 624 wrote to memory of 1852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 624 wrote to memory of 1852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 624 wrote to memory of 1852 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp" /SL5="$40016,49014036,67072,C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://lrepacks.net/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 lrepacks.net udp
US 8.8.8.8:53 lrepacks.net udp
US 8.8.8.8:53 lrepacks.net udp

Files

memory/1680-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1680-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8PNJO.tmp\Movavi_Screen_Recorder_22.3.0.tmp

MD5 8ea3790e8293a45e31860d1ed6045e47
SHA1 a65deb86d777b4d2cace52e0668c7df5ef2f20fc
SHA256 4f8179cf32b8ed52acc66f484ba59de50adaf457b94a63f1914b0b8a2cb1072b
SHA512 d68b6859c3f043cad491b680d8a130aa4f338dc6bf4211421be4cdc672e94210c56f9e77638228ecfe2a173d92b833e032f4b21325fcacfcd5636123cc4463dc

memory/3048-8-0x0000000000400000-0x00000000004F7000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-09I9L.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-09I9L.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/3048-19-0x0000000000870000-0x0000000000886000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-09I9L.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/3048-23-0x0000000007280000-0x000000000759A000-memory.dmp

memory/3048-30-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-38-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-84-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-83-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-82-0x0000000007710000-0x0000000007711000-memory.dmp

memory/3048-81-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-80-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-79-0x0000000007700000-0x0000000007701000-memory.dmp

memory/3048-78-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-77-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-76-0x00000000076F0000-0x00000000076F1000-memory.dmp

memory/3048-75-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-74-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-73-0x00000000076E0000-0x00000000076E1000-memory.dmp

memory/3048-71-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-69-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-68-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-67-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3048-66-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-65-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-64-0x0000000002510000-0x0000000002511000-memory.dmp

memory/3048-63-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-62-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-61-0x0000000002500000-0x0000000002501000-memory.dmp

memory/3048-60-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-59-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-58-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/3048-56-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-54-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-53-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-52-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/3048-51-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-50-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-49-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3048-48-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-47-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-46-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/3048-45-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-44-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-43-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/3048-41-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-40-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/3048-39-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-37-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/3048-36-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-35-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-34-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/3048-33-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-32-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-31-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/3048-72-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-70-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3048-57-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-55-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/3048-42-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-29-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-28-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/3048-27-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-26-0x00000000075A0000-0x00000000076E0000-memory.dmp

memory/3048-25-0x00000000008C0000-0x00000000008C1000-memory.dmp

memory/3048-87-0x0000000000400000-0x00000000004F7000-memory.dmp

memory/3048-89-0x0000000000400000-0x00000000004F7000-memory.dmp

memory/3048-88-0x0000000000400000-0x00000000004F7000-memory.dmp

memory/3048-90-0x0000000000400000-0x00000000004F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\qml\QtQuick\Controls.2\designer\is-1LH21.tmp

MD5 5435f060331a523b9e5db9c9957756aa
SHA1 e0f07b59a0ac83b7cea1716cdae4a59aeafa396b
SHA256 91d7772e4a193e91a093d59451508cdb89448eaffb4febda26789777afbacf3d
SHA512 536e731672c1348222490d39099712c7bbcbf8d0c6be5d0f3517c10feb1b47d7942c18703e18c28f36774546a41f18d61fa8096e022a82947d43b11a2641d187

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\qml\QtQuick\Controls.2\designer\is-8MU45.tmp

MD5 e6dd3db4f8a582e30f07b77e801428f0
SHA1 d207e34278440fc9b47c6480a47fef13870ffff6
SHA256 a3fff66cd7217029792e7fce403cc658b0ea03b2d3a2860f57479c8ea6bc1372
SHA512 f58e27d7f36e05cb1d6277629ee2e3cc239b2ba73a75d1399a048191e4443dbb1360922b2cc0d36c3a19b04fcdb64f5dbbd0a838736dca658b9caf856031c5ea

memory/3048-2346-0x0000000000400000-0x00000000004F7000-memory.dmp

\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe

MD5 4ac0f839de8c1137052ceea335b29a13
SHA1 5c3d335b37066b266197681070eb3ad9664ae4d5
SHA256 81b8d7366cde2242b87e8fad9a391f94cd3b820e73c639a8e28b452cb51f381f
SHA512 ae478ec53d563e50e53754513ad084dc7845d0c651505394cac53b77166ae83b69e381564ae339c44f133d0bfe67df44b9b5819d38df6c3360f6437cbf0f49eb

\Users\Admin\AppData\Roaming\Movavi Screen Recorder\unins000.exe

MD5 e596d1e56353965502b108bb386d3dfb
SHA1 21e414e0a20327b460b6348bb51b1e5bfb564c01
SHA256 43ed1e68c2c5f388fb9d177261bfec213dd4dff09f3fe89433ab9aa89ab8319d
SHA512 8a4cae6840a0621473667dc2ca9dbbdf838af52b091933e3f47f6cb10e1a54e60eec8149d4c0768747d91a226c23ea5d83a8520e02e4dd2358a24bc926235410

memory/3048-3062-0x0000000000400000-0x00000000004F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~DFB3F6A3BC29EFD1FC.TMP

MD5 d27b1c4bdd795b0fec632fe0b731697e
SHA1 a697bd45e3b4772ae528eebd264a420bf78385f9
SHA256 55f83c04bb22b8e8d029dd53dad5070a8412cc9ac0aaf2c56bce17550dd6a43d
SHA512 55e8d3696b1cc527b53a4d997035529d6936fc8f68527b950d5b30071b97a4993060514fc64e361eadfc5d489416594169bcb555a27894fb6eb264e10f7b7624

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 22:28

Reported

2024-06-12 22:30

Platform

win10v2004-20240508-en

Max time kernel

108s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\movavi_srecorder_22.0.0_screenrecorder C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\install16476.log C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{675F31BB-1792-A42D-BCC3-B9E056BC} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{675F31BB-1792-A42D-BCC3-B9E056BC}\ProdID = 70be1e9288470894f80f1dd4381dfbdf68a60936 C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96DE6504-479E-8A28-66EB-F84B192A}\ProdID = 98ea7e9b68a80894f8efdcd6b8d4fadf90d2693f C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{675F31BB-1792-A42D-BCC3-B9E056BC}\ProdID = 70419f6d242f032ffeefb2eed2e296f7c8e5c9cb C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{399B4B05-83E5-4C71-ADD2-38BB979D8A44} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E03032F-C175-6758-DC24-B3EF8202}\ProdID = 18adaeb22c97f64a662c7924aa65431148d1068f C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96DE6504-479E-8A28-66EB-F84B192A} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{96DE6504-479E-8A28-66EB-F84B192A}\ProdID = 20f58064a4f6f64be6cfda97b68cc69f5c5faee0 C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3558294865-3673844354-2255444939-1000\{803B5B8D-5CC6-443D-A1EB-5D978C8CBAF8} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E03032F-C175-6758-DC24-B3EF8202} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAF37763-0C5C-644C-8298-FB4F17DC} C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FAF37763-0C5C-644C-8298-FB4F17DC}\ProdID = 18ebdc6be8b7066b80af7d47e46d845f9c8aec28 C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\RouterApplication.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 3988 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 3988 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp
PID 512 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 512 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 512 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Windows\SysWOW64\regedit.exe
PID 512 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe
PID 512 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe
PID 512 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe
PID 512 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 512 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 2592 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe

"C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp" /SL5="$90056,49014036,67072,C:\Users\Admin\AppData\Local\Temp\Movavi_Screen_Recorder_22.3.0.exe"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\settings.reg"

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe

"C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lrepacks.net/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8af7146f8,0x7ff8af714708,0x7ff8af714718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\RouterApplication.exe

"C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\RouterApplication.exe"

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\RouterApplication.exe

"C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\RouterApplication.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4fc 0x51c

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic path win32_VideoController get description

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic path win32_VideoController get description

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11776171734931722946,892720270346238404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 lrepacks.net udp
US 8.8.8.8:53 activations.movavi.com udp
US 8.8.8.8:53 mip2.movavi.com udp
N/A 127.0.0.1:60211 tcp
N/A 127.0.0.1:60213 tcp
N/A 127.0.0.1:60217 tcp
N/A 127.0.0.1:60219 tcp
N/A 127.0.0.1:11833 tcp
N/A 127.0.0.1:60222 tcp
N/A 127.0.0.1:60224 tcp
N/A 127.0.0.1:60226 tcp
N/A 127.0.0.1:60228 tcp
N/A 127.0.0.1:60230 tcp
N/A 127.0.0.1:11844 tcp
N/A 127.0.0.1:60233 tcp
N/A 127.0.0.1:60235 tcp
N/A 127.0.0.1:60237 tcp
N/A 127.0.0.1:60239 tcp
N/A 127.0.0.1:60241 tcp
N/A 127.0.0.1:60243 tcp
N/A 127.0.0.1:60245 tcp
N/A 127.0.0.1:60247 tcp
N/A 127.0.0.1:60249 tcp
N/A 127.0.0.1:60251 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:60253 tcp
N/A 127.0.0.1:60255 tcp
N/A 127.0.0.1:60257 tcp
N/A 127.0.0.1:60259 tcp
N/A 127.0.0.1:60261 tcp
N/A 127.0.0.1:60263 tcp
N/A 127.0.0.1:60265 tcp
N/A 127.0.0.1:60267 tcp
N/A 127.0.0.1:60269 tcp
N/A 127.0.0.1:60271 tcp
N/A 127.0.0.1:60273 tcp
N/A 127.0.0.1:11844 tcp

Files

memory/3988-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/3988-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R8T0D.tmp\Movavi_Screen_Recorder_22.3.0.tmp

MD5 8ea3790e8293a45e31860d1ed6045e47
SHA1 a65deb86d777b4d2cace52e0668c7df5ef2f20fc
SHA256 4f8179cf32b8ed52acc66f484ba59de50adaf457b94a63f1914b0b8a2cb1072b
SHA512 d68b6859c3f043cad491b680d8a130aa4f338dc6bf4211421be4cdc672e94210c56f9e77638228ecfe2a173d92b833e032f4b21325fcacfcd5636123cc4463dc

memory/512-6-0x0000000000400000-0x00000000004F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7VPBJ.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/512-17-0x00000000073B0000-0x00000000073C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7VPBJ.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/512-23-0x00000000075E0000-0x00000000078FA000-memory.dmp

memory/512-26-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-27-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-48-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-82-0x0000000007B80000-0x0000000007B81000-memory.dmp

memory/512-81-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-80-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-79-0x0000000007B70000-0x0000000007B71000-memory.dmp

memory/512-78-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-77-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-76-0x0000000007B60000-0x0000000007B61000-memory.dmp

memory/512-74-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-73-0x0000000007B50000-0x0000000007B51000-memory.dmp

memory/512-72-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-71-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-70-0x0000000007B40000-0x0000000007B41000-memory.dmp

memory/512-69-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-68-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-67-0x0000000007B30000-0x0000000007B31000-memory.dmp

memory/512-66-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-65-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-64-0x0000000007B20000-0x0000000007B21000-memory.dmp

memory/512-63-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-62-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-61-0x0000000007B10000-0x0000000007B11000-memory.dmp

memory/512-60-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-59-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-58-0x0000000007B00000-0x0000000007B01000-memory.dmp

memory/512-57-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-56-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-55-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

memory/512-54-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-53-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-52-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

memory/512-51-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-50-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-49-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

memory/512-89-0x0000000000400000-0x00000000004F7000-memory.dmp

memory/512-47-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-46-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

memory/512-45-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-44-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-43-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

memory/512-42-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-40-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

memory/512-39-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-38-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-37-0x0000000007A90000-0x0000000007A91000-memory.dmp

memory/512-36-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-35-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-34-0x0000000007A80000-0x0000000007A81000-memory.dmp

memory/512-84-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-83-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-75-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-30-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-29-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-28-0x0000000007A60000-0x0000000007A61000-memory.dmp

memory/512-41-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-33-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-32-0x0000000007900000-0x0000000007A40000-memory.dmp

memory/512-31-0x0000000007A70000-0x0000000007A71000-memory.dmp

memory/512-25-0x0000000007A50000-0x0000000007A51000-memory.dmp

memory/512-232-0x0000000000400000-0x00000000004F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\qml\QtQuick\Controls.2\designer\is-BNJO3.tmp

MD5 5435f060331a523b9e5db9c9957756aa
SHA1 e0f07b59a0ac83b7cea1716cdae4a59aeafa396b
SHA256 91d7772e4a193e91a093d59451508cdb89448eaffb4febda26789777afbacf3d
SHA512 536e731672c1348222490d39099712c7bbcbf8d0c6be5d0f3517c10feb1b47d7942c18703e18c28f36774546a41f18d61fa8096e022a82947d43b11a2641d187

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\qml\QtQuick\Controls.2\designer\is-BOORC.tmp

MD5 e6dd3db4f8a582e30f07b77e801428f0
SHA1 d207e34278440fc9b47c6480a47fef13870ffff6
SHA256 a3fff66cd7217029792e7fce403cc658b0ea03b2d3a2860f57479c8ea6bc1372
SHA512 f58e27d7f36e05cb1d6277629ee2e3cc239b2ba73a75d1399a048191e4443dbb1360922b2cc0d36c3a19b04fcdb64f5dbbd0a838736dca658b9caf856031c5ea

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\ScreenRecorder.exe

MD5 4ac0f839de8c1137052ceea335b29a13
SHA1 5c3d335b37066b266197681070eb3ad9664ae4d5
SHA256 81b8d7366cde2242b87e8fad9a391f94cd3b820e73c639a8e28b452cb51f381f
SHA512 ae478ec53d563e50e53754513ad084dc7845d0c651505394cac53b77166ae83b69e381564ae339c44f133d0bfe67df44b9b5819d38df6c3360f6437cbf0f49eb

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleRunner.dll

MD5 d2a2a9db65e90d7bc4d52e328ece07ea
SHA1 a69e55619281a5951f2b53896667d8544c9cf31e
SHA256 43d11ecf1a77077f8bbc61ffb21c5659b093b8f3a36729e34922297abc7ba7d1
SHA512 793d2f8054a0f501db427afe9f03c41e04257f83c2b0a71a852a597b30567dc18a28418941996c5267709612db79668459c1c6f9088fc5483fa25706901aa90d

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCTracking.dll

MD5 9d0ff5da26493a8605f3b7e55a7fdaab
SHA1 ed67b3744c1a8f954a7513bf843f59749b99233c
SHA256 f4c8c23a5588783d20ba3aa193527c04c85b8b394a6346f59af7bb3a93effff8
SHA512 4d38926dce6d43147c43e3b794502780c1149c4cce5257c35eeeab288b2897c0219287b1bbe4c36b4f0264588fb714455a4b82dcb13e184359c8b9d460807288

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCUiStyle.dll

MD5 678f1159fd0c4ff5ea61061e872d8242
SHA1 5d4e29fd68f41ab3337e8931f3aa15beca3527cc
SHA256 a8fd54dbaefc3fc2f2efb31704774298fec490f1ff28333f54a15649c0481746
SHA512 8179112c650a46ad1bd5774e8ce3e25270f9605198f9b0ff2b99e321b6830048be0ca47a7d9135a990471bcd25e2dcf190634a40dfa48cf7a39d38325f825938

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\CoreTimeQt.dll

MD5 699e3607b532f015d90632ec85182346
SHA1 8325c8070bcfab1f3335152f6fdae13ab3122177
SHA256 8d62e23f53fd921549074eacbbffbd51c6a25ee18ba84c2d57ece5468605c4c8
SHA512 018d71406e0edadc9f6b32077951c195a1914bdd2e6ccfed248188ac98805c1383d9f11c8a7f8818c78b1abc582d72cdd20f9c7249895a9c51d125168ce47540

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCUtilApp.dll

MD5 dd14c29a4938a63b631e206e42a61790
SHA1 ea6b9b76d55b8b43c5fa9608106cfd93998595ef
SHA256 e70996fb9b28d4a2fa710bb24e0d391201fc3bdbfbc8ee77be8d572dd93acafa
SHA512 5706e0b080c877cc121fd72159585edfc525fe93a5a54dc7245222a9259d81b2aa2d4b958c316dce538e492bc04fe84d3d3d1bb0dfbd028870328bcae1af8aac

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCProject.dll

MD5 6d4edef01fcaed5f87788d9870aceb9c
SHA1 f0721c945d24dc25f8e67915daaba432f4b1eff7
SHA256 588b0325ebf2b9e94252b2e1961a9cbee42ecc3acb505b041ae64ad426ae452a
SHA512 d04f2999c4776cd73bf59a5b80f69a053c8a01ced04d7a4205d495390f89d6662f3f88cbb0d88d25b0f4f7df4db5b63ce5b951314170b0e6de8b9a676f19430d

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCDurationLimiter.dll

MD5 5bd305e90781d2341ee107bd526e57f8
SHA1 a82c8b48085fa610bce3d15fca9f9afc17b60c36
SHA256 4120832ace5849f0a1b12d3f22ace61ab5c5fb2bda6c26cad7de0bbc1f955b9d
SHA512 33f104e700e1a7ac46a43f8adcde22cf717fb5d2b8c6ca45aa0a76117a39f0356da4368c451ac2210442e14be32cc22a24d47f96110bf3992e53215719bd2ac4

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCScheduler.dll

MD5 62149e6a6ab6988c8d6d62691b3da2cc
SHA1 f88f7b4c190040e830f9c30b5cfb2a13ac0521d8
SHA256 90c5fa1ee4e05d0cae00e5fabe344f1517632ebe31e9ee415169a22c61f9bcfe
SHA512 1bdfe2f88552a8e2a590201a69223bac8109079cd657ddda0d30e6e64beadd9dfa1160411e4cdbbfcddf28c84619072b69fa3c200f49f38b51f8c19b1a1c9a64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\Tracker.dll

MD5 4f67bf1b3dff6bf28936d29761ab64d9
SHA1 ae4248c09b0cb33550e5982e2617d8c4096ab740
SHA256 374f96618315f41f5374a5b891e9ea8241e3a4f8ed0c43a079805f6a160db759
SHA512 5da29fec040973293b12f84576cc52c7d0470b2bebc1c9071d64be1793a08c20ee3aa164e91eab69aec37b44264da1c30036f264f25d639ff9a1e65ec7224372

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCSettingsController.dll

MD5 3b896dcbab16ee7bbc797415bf351325
SHA1 56bcba68d34fa6907e2379e950cb62431cb54bb9
SHA256 e8aea698d6ad7e7aa8c70e52d528d69ee7b2b0cf1f1d80423bbe3aa573f9bf30
SHA512 a1dc5b824caac2a8877b0d27f9a06bc7ffec1f6c8449e647b8b32d94f83cd8cc30664294bfda0dc595ad99497865ff6bfeb84db40a1c4ae45840e867874ddb47

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCServiceAreaSelector.dll

MD5 fb2c6e36548b4ee6ed3b23e763c749f6
SHA1 0928f295454c5e8f339a05ab8147f6cad84d4c4b
SHA256 3ddb93ffe9e7500e81be3d4713c9857e611e42445f053a41391eed54c1f723dd
SHA512 7941292a88b9983d6931a8ff062a4b24238be0b709b882a4c1dcf3ccaa833b6272d1ffa400140192ec4b4859c3359d2e79e47eaf1d0012654629c2bc469c0f88

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCServiceScreenPainting.dll

MD5 277905f58bbfe74414ebfbaeee56388b
SHA1 a754df95f51b15075d4fd9ba8ef41b35d862318e
SHA256 eb33907c8ce8dd5ad74e33bf341313bf6a7f75449c54f399c870e54df43c9a26
SHA512 010a73b02096d7da7f113278a58598d1539f9b530a42eabad78b524dd031b84b8bbf1de98eab69c37005d9d9983886cdb9281e5a7f7b92de01ea3b075f9c63f4

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCServiceSocialRegistrator.dll

MD5 444432956c6fe0557eaa9c67a7ed0357
SHA1 1f6090a21ca0db7e9e420aeac097bd1efe1fbe15
SHA256 c2dc00e13d65f07446cad10dd8bf9a766b80c2a082e411d0c7ef41f863e27c9c
SHA512 24bd17c12260ca245584290fbbda2ad95754babff22a48327a850a6867e33ea80fb2dffc2ca66a87e2315f6f8d18e74587a637cfce0d719b7dc95453e78a3d50

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCServiceDesktopCanvas.dll

MD5 2946ee2639e4d7cafa2dd6adabe52da2
SHA1 2b73c9bb862b31d286d88ca7391a15ee9e15249b
SHA256 b69fb1c56d3b497895930882ab14c6863219e169f57990295e331b9dd5d0b06a
SHA512 0d786caee5d242bebff612d4eb200b78200cf1483b45e3ccd39764f5761050471d59125d9cb836a11b3d35976091755a221bd9290933f68f87faedb55ab119ce

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleEditing.dll

MD5 0b9aba4f50d667aaf8d4333cf22b2bef
SHA1 f5b9063a71c2f518d6c1517d3dfac45d0bb88d04
SHA256 bf5c8d10f17d324f6ef27a6f7345e34751af5096e6cf005fd21b6b15d479d34a
SHA512 0eb0b5b3d6a8aa395fd6b6435c9eb05c12291aac32b55978456a904fd73221f705e2a7fde95e413a41858a077f848abc5335ea4e95acd49db861903fa6fa716c

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleCapturing.dll

MD5 b06ea6a918a32c0e291cbe1df800940a
SHA1 2845fc806737879eca271f41db53e80de4f263f6
SHA256 68a138617a3f6d484c56a68fc165fff9fdc39d2ca59f224a9246eb575b922292
SHA512 2d87392c960f3f9fd88f73aaab489eef7514ef41a850532136806f708d075b35a08b96745242db9b125fca1100e334810cb8084c10939e0573738f961bc01d1c

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleAudioCapturing.dll

MD5 d8710ec73f1e294bc53b44d61517c8c6
SHA1 244ed81a1246b3d42f1540b1afa55b6b23e535b8
SHA256 2fc47d2380614b77388c2e55d35bf31748f08c8aad822f0ee56529f81c98ccc2
SHA512 280272b87dcc29404897ae4fa3ad617770d6f9c8f161471c0b8d7a293a0355d3acb99fb2aa41b33ae2f015a86fc0b8fd452d5742055449e5a66178db3fa2087b

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleLauncher.dll

MD5 97be0952f7824453af306b151f985745
SHA1 f2323e6cf8beb1c26569caa5a272829abb8e0117
SHA256 40d9a45f275f0ee38b3d3eb34352d2d6aa431f60794816b391a9b9d22c0c6574
SHA512 5eb5f6d3cf01b5f1f7eb5618cf1c8dbe9a8f493ccc3cea24bdf0517c0aeb732fb0f3a85059b709a95de743dee0114c0dcbfced22a35334f7e5361d7733486b9f

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleWebCameraCapturing.dll

MD5 0bfb7885236900442f6ace0283d90d89
SHA1 5bf245ce3ecd79c4aedb294a8af4ac61bbd2c86b
SHA256 aeb1433182e5ed706aafc1b819b197540e2985ad071b52a9392d89d3ffe83976
SHA512 3ceb03a57810c39e5999abb1cef60a43260d3e635217b4d889399c1a38953e1dfd1a814e7efa131601bb2fbc04274e636f1cd8604395269eed0f0c99ff01a955

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleScreenshoting.dll

MD5 f0decf1c04840f09d16952d681412b78
SHA1 d0716073ab00795fbe0de06da91f0a502b19799a
SHA256 4fa57d187c018e28aba693ac65c07cb4fa3e7a8a7dd646f425f6aabcd08e0754
SHA512 e1bd86c9753bb01eaf817b35b6a531e4c2b86503a77a3899e452da317bb951b7f08d5e381997143930b2ef0e1bf4ee086a45c5f335ced7f250aad48ef56722c1

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCModuleCommon.dll

MD5 9f8634d0fda17ca342e2f0693699b3aa
SHA1 c752add1dac3ca70b27f27bf27d9fab56e9e5169
SHA256 25e51b089c9482c65a247a7a4ece2fdd65d08d3a29fad219eb84d4c9264ee8ac
SHA512 2361de0f3b0b403eeb7b022e8d0711caecc043c5aae0b97baa69f366ace622101d5290e6f2f4f8001ea0803b8ef57a6afd85f29787b4c360d9e0647fa72c3823

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCProjectStreams.dll

MD5 2bc1c65c6f41b6751e5e2b36c69e17a1
SHA1 1d51f745bd43ba780da020195dd74bff3d18e7be
SHA256 900c02408fa116049c6856ea5aa7651d32b5c5dd83ca094064ed4a0f09ecedc3
SHA512 9abdebc5e8e2c91e7fb946a101e80c66cc8674b42b97c73bc2f568713aea7c013b834402f999d4ee39908927ab4a8332a625c02f9d22bebab690f2f5d91d76e9

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\SCUtilCodecPolicyHelper.dll

MD5 d7b3209c1656bde51ca671584f4d9e4b
SHA1 30bcb42dc49a14d6548de2aeb797d33c26ce4fa6
SHA256 d735deafc0d6802ce9e993d03033d808e60405ab88474d5fbba650ea9ff6050c
SHA512 7171f2af61c9767074edca0520628fa3fb9b742a639d998b504bea177aaf66ea5b9a1bdeacb2f43d397a4b225eea39bcbfd8dfd38741d02800b42f93acb66ef5

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\PatentActivator.dll

MD5 c6b1ff7de514dedc67646d1dbf3c5e5d
SHA1 634cc5a6b8d2b1e287d755a89ac1320fe2d3aef7
SHA256 0bbc9c93e2538d65531047760b80c8915f473daad5f690918e6a2fe52d13e874
SHA512 e9abf8b01cbfc39be679b129b8b72b804e0ce19d7c59ae29cc0001f7d17c585596e9e4e0199ce4390b236996a528aade3e41efc3252485cf8bdf56020e1025b1

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\glog.dll

MD5 c4cc4cbd16206fb490b813c1ee8f1b70
SHA1 a6893ea08bcd5dd3f6989f337ce2d7f4d05d6874
SHA256 0e5853e08490107f954eee7712c240c31bd92de56749eab8f020ed844415f69d
SHA512 365bdf134224e25f7cd60340b79b4125fe3696622a52f6a7a72dd87b0fb5c351bca7e44b85251a161dc48aa8d62108d6fb9ce3f002c960dca63f3305244f96fb

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\CrashSenderWrapper.dll

MD5 df73aa893523d3397bfc61ebb9618405
SHA1 c2c067c10d7b8e0e09560531f9739eeda763671c
SHA256 8ea78add3881c6544f6ba6d7dfa5ea78df2f4dd1bf55ba682a01f7bfdd048943
SHA512 7c20aed0acf092d904d17d799ae3025a4ecabdfe2c05f3f632db75bee0cdaeb586fc80254f01c049c31db839348e32582e918ea3c8d10d12a10ffdaa1aca3535

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\CoreTracker.dll

MD5 431a5be360eae19203f841d3fb25d141
SHA1 c08c71ad29faf620a1d821cc90ab3212fc407021
SHA256 48c0f1bd25ef653bf03f2880b198403c0fccb9781d130273755270883dcfe404
SHA512 9cf2aa0c11852cdce6a80c165731dff0fcac4c92fa72dec01880dc2be022323ed23af4a19e1145a9d19f61a2eed3bad326c0c2aafbc67fa03cee4f4703f47ea9

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\FileStorageFactory.dll

MD5 14ea28d763a09567739877bef775a3b9
SHA1 96d4a10b4191e21ea2febe61469ebda57fa87626
SHA256 07c8a477596b1159ed0a1ceb03685e800cbffef752bb991b19d43b88a0d991de
SHA512 dcc8a4c4af9a6a25e6d0fefb0bfba68069cddf585937e6ca86470f8a74dec36d4fa14bf178e16737184f41c5abec43bafd6fe21e30b629109e36e2c84124d28b

C:\Users\Admin\AppData\Roaming\Movavi Screen Recorder\FndCrashHandler.dll

MD5 8577f08d6461172e2dd4c923b16ce0f4
SHA1 05c7803fb1912d998a3444b65ad468f795187bc2
SHA256 81c83b6ea655c8cb80305dd1e197230e899464e6a91611eb1bfa9f7ac912cb2f
SHA512 2f4e4e6551ae5bdd6c93b1d958ae3707b1442361be01757447384cb982b7ff95f6e4cca9ea4b4929a306814d11fc4cff95a94b2bea17636cee1f94f377423289

memory/512-3163-0x0000000000400000-0x00000000004F7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3fd97b4fee78835aca539a89ab360d0e
SHA1 a9e1ef6b4eb08042114367e78b5666369bd1054d
SHA256 69182893085518459344689308f346411881df352436f656acf7140b960bae7c
SHA512 9c8c8128d57d3b1e5950913733c39b1d4fe74750977f9b0f5215ffc50dd8bb14b270c8a9d8075e28729c1dc84a59540bfc312c8fd36f8d16752dc4c302eda2cc

memory/4692-3170-0x0000000004EE0000-0x000000000552D000-memory.dmp

memory/4692-3181-0x00000000676B0000-0x00000000676E9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e4f9b1cce774516106f125b2afb93d2c
SHA1 5b0c02e5f87a54d6783b02961c5eb8243532f4d9
SHA256 8393a66a6dd9593d96db0ec57014ef75b23c531ed49f2dd2e8945eeeca84e5f2
SHA512 a7b32f6e8abbd159b067d9af994b919893a00e830559cf9ee3579f8ccf73b958878e776593cd3dfcd3ee6286b5d556f53f72842156069b80cf03cc938b18858f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bade399f39e9a3c5cd736d1b2ad6b479
SHA1 6c4417cf31c01a086414ce62fcb6fabc9c1a835b
SHA256 da2d884b06bead1aa9399f8a5c67f80e3aa35ab6acd7169aff6d1dea795c63e4
SHA512 742022d3a2145e170f5443d1a490a4e75ba2131b267107de159641364d7d88834f4efce7d9e3f6282099d7d3cf5dc8ebc465ab2c6acc975ce7dadd00f24a446d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/4692-3300-0x0000000004EE0000-0x000000000552D000-memory.dmp