Malware Analysis Report

2025-01-02 14:58

Sample ID 241123-nl7a2szqap
Target Release.7z
SHA256 22f86114e96d76269950437cdfc739f306212e056f3074a7eadca2249a453554
Tags
cerber discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f86114e96d76269950437cdfc739f306212e056f3074a7eadca2249a453554

Threat Level: Known bad

The file Release.7z was found to be: Known bad.

Malicious Activity Summary

cerber discovery persistence ransomware

Cerber

Cerber family

Sets service image path in registry

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Gathers network information

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 11:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 11:30

Reported

2024-11-23 11:32

Platform

win10ltsc2021-20241023-en

Max time kernel

24s

Max time network

61s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader2.exe"

Signatures

Cerber

ransomware cerber

Cerber family

cerber

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IiOInlosxWlLujGQDwL\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\IiOInlosxWlLujGQDwL" C:\Windows\itncw2gf.ljb\kdmapper.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\itncw2gf.ljb C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\mac.bat C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\AMIFLDRV64.SYS C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\dvlwwwdrv64.sys C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\randomisershit.sys C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\cleaner.bat C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\zhjers.exe C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\kdmapper.exe C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
File created C:\Windows\itncw2gf.ljb\Volumeid.exe C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\itncw2gf.ljb\kdmapper.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\itncw2gf.ljb\kdmapper.exe
PID 1536 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\itncw2gf.ljb\kdmapper.exe
PID 1536 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 4816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5640 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5640 wrote to memory of 5484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5640 wrote to memory of 5484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1880 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5956 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5956 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5956 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5956 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5956 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5088 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5788 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5788 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 5988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 2416 wrote to memory of 5988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5684 wrote to memory of 5668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5684 wrote to memory of 5668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 5372 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 5372 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 3628 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1700 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1700 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 3452 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\itncw2gf.ljb\zhjers.exe
PID 1536 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\loader2.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\loader2.exe

"C:\Users\Admin\AppData\Local\Temp\loader2.exe"

C:\Windows\itncw2gf.ljb\kdmapper.exe

"C:\Windows\itncw2gf.ljb\kdmapper.exe" C:\Windows\itncw2gf.ljb\randomisershit.sys

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SU auto

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SU auto

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SV "1.0"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CM "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SP "MS-7D22"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SP "MS-7D22"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /SF "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BP "H510M-A PRO (MS-7D22)"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BV "1.0"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BLC "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /PSN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /PAT "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /PPN "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CSK "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CS "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CV "1.0"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CV "1.0"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CM "Micro-Star International Co., Ltd."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CA "To Be Filled By O.E.M."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CO "0000 0000h"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CO "0000 0000h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /CT "03h"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /CT "03h"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /IV "3.80"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /IV "3.80"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /IVN "American Megatrends International, LLC."

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c C:\Windows\itncw2gf.ljb\zhjers.exe /BS "%random%%random%%random%%random%%random%"

C:\Windows\itncw2gf.ljb\zhjers.exe

C:\Windows\itncw2gf.ljb\zhjers.exe /BS "305512521913736241417643"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\itncw2gf.ljb\cleaner.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "Steam.exe" /t /fi "status eq running"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im EpicGamesLauncher.exe /t /fi status eq running

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\HardwareID /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /va /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETEH KEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\WinRAR\ArcHistory /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\ShowJumpView /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-332004695-2829936588-140372829-1002 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1282084573-1681065996-3115981261-1001 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts\EA Core\Staging\194908\ergc" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Electronic Arts" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Respawn\Apex\Product GUID" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\origin2" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Client Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\Origin Web Helper Service" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCR\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Classes\Applications\Origin.exe" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.Origin" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\WOW6432Node\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\ControlSet001\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SYSTEM\CurrentControlSet\Services\EasyAntiCheat\Security" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Classes\Installer\Dependencies" /v MSICache /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKCU\Software\Microsoft\Direct3D" /v WHQLClass /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\Hardware\Description\System\CentralProcessor\0" /v ProcessorNameString /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\Package\181\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Index\PackageAndPackageRelativeApplicationId\181^App\93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\3^93\ac" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Index\UserAndApplication\4^93\ad" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\180" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\itncw2gf.ljb\mac.bat" "

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\System32\ipconfig.exe" /flushdns

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\181" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" int ip reset

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Index\PackageFamily\4e\182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d E62605B9072C /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Data\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a80" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where physicaladapter=true get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr [0-9]

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a81" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\3\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\User\4\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180" /f

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^180\1a80" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^181\1a81" /f

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\3^182\1a82" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^180\1a83" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181" /f

C:\Windows\SysWOW64\netsh.exe

netsh interface set interface name="Ethernet" disable

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\PackageUser\Index\UserAndPackage\4^181\1a84" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\kz2LMQg4+pNfXggv65DcWFQ9SiekWR4B4WMWT+pcqbU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\4JSyFFDDKUMXDyK2USgAjbiksFnqOb3f8RPZBPSpEfU: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\Origins\62bDlCzxB/xxIWLkQdDRYcAqhmZhNOMUtjhRkAgTvkQ: 0x00000002" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Package: 0x00000181" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Index: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\PackageRelativeApplicationId: "App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Executable: "GameBar.exe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\Entrypoint: "GameBar.App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\StartPage: (NULL!)" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Application\Data\93\_IndexKeys: 50 61 63 6B 61 67 65 5C 31 38 31 5C 39 33 00 50 61 63 6B 61 67 65 41 6E 64 50 61 63 6B 61 67 65 52 65 6C 61 74 69 76 65 41 70 70 6C 69 63 61 74 69 6F 6E 49 64 5C 31 38 31 5E 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\User: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ac\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 33 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 33 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\Application: 0x00000093" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\User: 0x00000004" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\ApplicationUserModelId: "Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\ApplicationUser\Data\ad\_IndexKeys: 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 5C 34 5E 39 33 00 55 73 65 72 41 6E 64 41 70 70 6C 69 63 61 74 69 6F 6E 55 73 65 72 4D 6F 64 65 6C 49 64 5C 34 5E 4D 69 63 72 6F 73 6F 66 74 2E 58 62 6F 78 47 61 6D 65 4F 76 65 72 6C 61 79 5F 38 77 65 6B 79 62 33 64 38 62 62 77 65 21 41 70 70 00 00" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFullName: "Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageFamily: 0x0000004E" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageType: 0x00000008" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Flags: 0x00000000" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\PackageOrigin: 0x00000003" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\Volume: 0x00000001" /f

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Package\Data\180\InstalledLocation: "C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.41.24001.0_neutral_~_8wekyb3d8bbwe"" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp

Files

memory/1536-0-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1536-1-0x00000000006F0000-0x0000000000C0C000-memory.dmp

memory/1536-2-0x0000000005B60000-0x0000000006106000-memory.dmp

memory/1536-3-0x0000000005650000-0x00000000056E2000-memory.dmp

memory/1536-4-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1536-5-0x0000000005600000-0x000000000560A000-memory.dmp

memory/1536-6-0x0000000006B10000-0x0000000006D06000-memory.dmp

memory/1536-7-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1536-8-0x000000007488E000-0x000000007488F000-memory.dmp

memory/1536-9-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1536-10-0x0000000074880000-0x0000000075031000-memory.dmp

C:\Windows\itncw2gf.ljb\kdmapper.exe

MD5 33aa4f7f157634401b381a3328b11a8c
SHA1 50a65099f0f3bfee942d60d89c649ecd5724a48c
SHA256 180ab01cac38b5e44c4465b1a76a4c858f127f41a694a8ace8372a802fbae311
SHA512 700cbcba0e83afa6a51427036569051b938d13b811bf2841892137e1006c6c495d15b474b6838dd77575907651e7ba459a88f817bc9f05f96faea407b9a69a54

C:\Windows\itncw2gf.ljb\zhjers.exe

MD5 f17ecf761e70feb98c7f628857eedfe7
SHA1 b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256 311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512 e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

C:\Windows\itncw2gf.ljb\amifldrv64.sys

MD5 f22740ba54a400fd2be7690bb204aa08
SHA1 5812387783d61c6ab5702213bb968590a18065e3
SHA256 65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512 ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

C:\Windows\itncw2gf.ljb\cleaner.bat

MD5 d4a755cf4816c251a2c08548301ab6d1
SHA1 33c2b40ae11177fb116b361bffbc73690b668d73
SHA256 c1a955fd9a937afba415bc45f5b174254f708ac018321674c4967fd2d8afba4b
SHA512 860a3576184395d21df293c083c683807c584670149ce03570634494725dcaf914c8d7db24812c7aa6b29dfc04fb92b456676319c070a74a3d453c7014cf7828

C:\Windows\itncw2gf.ljb\mac.bat

MD5 86630f471a1c7f40e8494347f9ab8249
SHA1 10a2139adfb884f01799de89bf9b9ccb2a8bb460
SHA256 c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c
SHA512 666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369