52b87817d75639ae61cd72574dc4e3227822bab454814671b62378d9e63e9332

Analysis

max time kernel
139s
max time network
123s
platform
windows7_x64
resource
win7-en-20211208
submitted
27-01-2022 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft_access_pat1X-1.exe
Size

2.3MB
MD5

70a436205cfafb875676b19118ebaf05
SHA1

4ce08afd240de07a5bd85a851e9ce52101922269
SHA256

52b87817d75639ae61cd72574dc4e3227822bab454814671b62378d9e63e9332
SHA512

6bdfd819d049a614af58414dbb2813ed712d515a4ffd751e9d8c4c52cba963897d1a121f834ae6cf9591c46dc502ef35752f3347fa0fd8c92fc7df47ecda418f

Score

10^/10

adware microsoft discovery persistence phishing spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

microsoft_access_pat1X-1.tmpsaBSI.exesaBSI.exeinstaller.exeinstaller.exeServiceHost.exeUIHost.exeaccessruntime_4288-1001_x64_en-us.exeupdater.exesetup.exe

pid	process
1668	microsoft_access_pat1X-1.tmp
632	saBSI.exe
1368	saBSI.exe
2088	installer.exe
2296	installer.exe
464
2372	ServiceHost.exe
2956	UIHost.exe
2484	accessruntime_4288-1001_x64_en-us.exe
2984	updater.exe
2868	setup.exe
1240

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

UIHost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation UIHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation	UIHost.exe

Loads dropped DLL 39 IoCs

Processes:

microsoft_access_pat1X-1.exemicrosoft_access_pat1X-1.tmpsaBSI.exesaBSI.exeinstaller.exeregsvr32.exeregsvr32.exeregsvr32.exeServiceHost.exeregsvr32.exeUIHost.exeregsvr32.exeregsvr32.exeiexplore.exeaccessruntime_4288-1001_x64_en-us.exesetup.exe

pid	process
1508	microsoft_access_pat1X-1.exe
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
632	saBSI.exe
1368	saBSI.exe
1368	saBSI.exe
1368	saBSI.exe
1368	saBSI.exe
2088	installer.exe
2088	installer.exe
2860	regsvr32.exe
2884	regsvr32.exe
464
2412	regsvr32.exe
2372	ServiceHost.exe
2452	regsvr32.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2956	UIHost.exe
2956	UIHost.exe
2372	ServiceHost.exe
2552	regsvr32.exe
3000	regsvr32.exe
1788	iexplore.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2484	accessruntime_4288-1001_x64_en-us.exe
2868	setup.exe
2868	setup.exe
2868	setup.exe
2868	setup.exe
2868	setup.exe
2868	setup.exe
2868	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Detected potential entity reuse from brand microsoft.
phishing microsoft
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 7 IoCs

Processes:

ServiceHost.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	ServiceHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	ServiceHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ServiceHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ServiceHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ServiceHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ServiceHost.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeinstaller.exe

description	ioc	process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\providers\bing.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-amazon-upsell.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-overlay-ui.css	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-install-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\main_close_large.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\eula-ja-JP.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\logicmodule.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\logicscripts.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\mfe_logo.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-cs-CZ.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\wa_install_close.png	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\wataskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\telemetryconfig.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\jslang\eula-pt-PT.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-install-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-atp-upsell-toast.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\eventhandler.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-variants.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-FR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\downloadscan.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_install_check2.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\switch_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\upsell_toast_handler.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-ko-KR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\resource.dll	installer.exe
File created	C:\Program Files\McAfee\Temp2421586416\jslang\wa-res-shared-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-de-DE.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\wa-common.css	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\wssdep.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_questionmark.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-ko-KR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\icon_failed.png	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2421586416\jslang\eula-tr-TR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\protection-timing.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browser_host_launchers_handler.luc	installer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b89a2f5f6313d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeiexplore.exeregsvr32.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\ButtonText = "マカフィーウェブアドバイザー"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSID = "{32CFFBE7-8BB7-4BC3-83D8-8197671920D6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\ButtonText = "McAfee WebAdvisor"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804\ButtonText = "迈克菲联网顾问"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSIDExtension = "{29B24532-6CE1-41BA-8BF0-F580EA174AF1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Default Visible = "Yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\MenuText = "McAfee 웹어드바이저"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\ButtonText = "マカフィーウェブアドバイザー"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a9966d6313d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350042005"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\ButtonText = "McAfee WebAdvisor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0804	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\CLSID = "{32CFFBE7-8BB7-4BC3-83D8-8197671920D6}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuText = "McAfee WebAdvisor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\MenuStatusBar = "MStatus bar View SiteReport"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\MenuText = "McAfee 웹어드바이저"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0412\ButtonText = "McAfee 웹어드바이저"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Lang0411\MenuText = "マカフィーウェブアドバイザー"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba978300000000020000000000106600000001000020000000de8b1be494ea0101abb27daacab420d215315267d560b03c977dd34e8ab7daa1000000000e80000000020000200000006bb134c63543109bd44f61f76c1ffea04d1fe8f2b2cbadaab03db226584c63759000000080e7d14b3641a583e8faa632da23b32fab5f14f3095486b9dff46ac19b10381b18ac584a009ca3070c51e90e8e9872119c156db0a2ff324708497be217b702fbec3e8db6109931afba334c3294615238ddc1cbb4146650d93a1f7d646fb8f6791df22bd8df1f95117e86a5ca46c6b245fff7eab06bbf39806e68926b3c7a64168e468a2449d8c9a9444a8b50c21cdced40000000fc7e2494df0d542063be81a2108393a8aa06cd518052e3bea07aa95cc6171eec3c435bae7c8c11756bb299b340cf15b5f4646fae6a3401a4c53f771df8fea511	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage\microsoft.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{48A61126-9A19-4C50-A214-FF08CB94995C}\Icon = "C:\\Program Files\\McAfee\\WebAdvisor\\WebAdvisor.ico"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f302f7a020b975438ea1f1f995ba978300000000020000000000106600000001000020000000bf91f91aad51189abb3b0582cbb2289d6f57ea4b0cda6cf271e42f1b067aadd1000000000e80000000020000200000004f7cf5449c17c8240c118b2be71850611ff535ab2cd9250d598d0e2f43fbf7a920000000c46db0564e88082046cf42bc0657ddf1db4255525ec2763ec514a78cecb77b8c40000000d7ebbb79af19eaaa7fac9b4f56386165cb444fcfaf9f8f5e749dbe65561c412e22838529c0cea90b3d9463da5e86c83f964d8a91b29f3e039e66a41cdf5b9dfb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ServiceHost.exeupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe

Modifies registry class 54 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\IEPlugin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\IEPlugin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\ = "McAfee WebAdvisor Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ = "McAfee WebAdvisor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\ = "McAfee WebAdvisor"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\ = "McAfee WebAdvisor Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\IEPlugin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\IEPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B24532-6CE1-41BA-8BF0-F580EA174AF1}	regsvr32.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

microsoft_access_pat1X-1.tmpsaBSI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	microsoft_access_pat1X-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	microsoft_access_pat1X-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	microsoft_access_pat1X-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	microsoft_access_pat1X-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	microsoft_access_pat1X-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	microsoft_access_pat1X-1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	microsoft_access_pat1X-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	microsoft_access_pat1X-1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	saBSI.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

microsoft_access_pat1X-1.tmpsaBSI.exesaBSI.exeServiceHost.exeUIHost.exe

pid	process
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
1668	microsoft_access_pat1X-1.tmp
632	saBSI.exe
632	saBSI.exe
632	saBSI.exe
632	saBSI.exe
632	saBSI.exe
1368	saBSI.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2956	UIHost.exe
2956	UIHost.exe
2956	UIHost.exe
2956	UIHost.exe
2956	UIHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe
2372	ServiceHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

saBSI.exe

description pid process

Token: SeRestorePrivilege 1368 saBSI.exe
Token: SeBackupPrivilege 1368 saBSI.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

microsoft_access_pat1X-1.tmpiexplore.exeiexplore.exe

pid process

1668 microsoft_access_pat1X-1.tmp
296 iexplore.exe
1788 iexplore.exe
1788 iexplore.exe

description	pid	process
Token: SeRestorePrivilege	1368	saBSI.exe
Token: SeBackupPrivilege	1368	saBSI.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

microsoft_access_pat1X-1.tmpiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1668	microsoft_access_pat1X-1.tmp
296	iexplore.exe
296	iexplore.exe
1788	iexplore.exe
1788	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

microsoft_access_pat1X-1.exemicrosoft_access_pat1X-1.tmpsaBSI.exeiexplore.exeiexplore.exesaBSI.exeinstaller.exeinstaller.exeregsvr32.exe

description	pid	process	target process
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1508 wrote to memory of 1668	1508	microsoft_access_pat1X-1.exe	microsoft_access_pat1X-1.tmp
PID 1668 wrote to memory of 632	1668	microsoft_access_pat1X-1.tmp	saBSI.exe
PID 1668 wrote to memory of 632	1668	microsoft_access_pat1X-1.tmp	saBSI.exe
PID 1668 wrote to memory of 632	1668	microsoft_access_pat1X-1.tmp	saBSI.exe
PID 1668 wrote to memory of 632	1668	microsoft_access_pat1X-1.tmp	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 632 wrote to memory of 1368	632	saBSI.exe	saBSI.exe
PID 1668 wrote to memory of 1788	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 1788	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 1788	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 1788	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 296	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 296	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 296	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 1668 wrote to memory of 296	1668	microsoft_access_pat1X-1.tmp	iexplore.exe
PID 296 wrote to memory of 1624	296	iexplore.exe	IEXPLORE.EXE
PID 296 wrote to memory of 1624	296	iexplore.exe	IEXPLORE.EXE
PID 296 wrote to memory of 1624	296	iexplore.exe	IEXPLORE.EXE
PID 296 wrote to memory of 1624	296	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1616	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1616	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1616	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1616	1788	iexplore.exe	IEXPLORE.EXE
PID 1368 wrote to memory of 2088	1368	saBSI.exe	installer.exe
PID 1368 wrote to memory of 2088	1368	saBSI.exe	installer.exe
PID 1368 wrote to memory of 2088	1368	saBSI.exe	installer.exe
PID 1368 wrote to memory of 2088	1368	saBSI.exe	installer.exe
PID 2088 wrote to memory of 2296	2088	installer.exe	installer.exe
PID 2088 wrote to memory of 2296	2088	installer.exe	installer.exe
PID 2088 wrote to memory of 2296	2088	installer.exe	installer.exe
PID 2296 wrote to memory of 2592	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2592	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2592	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2636	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2636	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2636	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2636	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2636	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2672	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2672	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2672	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2744	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2744	2296	installer.exe	sc.exe
PID 2296 wrote to memory of 2744	2296	installer.exe	sc.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2636 wrote to memory of 2860	2636	regsvr32.exe	regsvr32.exe
PID 2296 wrote to memory of 2884	2296	installer.exe	regsvr32.exe
PID 2296 wrote to memory of 2884	2296	installer.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\microsoft_access_pat1X-1.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft_access_pat1X-1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\is-11UB1.tmp\microsoft_access_pat1X-1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-11UB1.tmp\microsoft_access_pat1X-1.tmp" /SL5="$400F2,1567776,780800,C:\Users\Admin\AppData\Local\Temp\microsoft_access_pat1X-1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\prod0_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.0.48 /no_self_update
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2088

C:\Program Files\McAfee\Temp2421586416\installer.exe
"C:\Program Files\McAfee\Temp2421586416\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\sc.exe
sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
7⤵
PID:2592

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
8⤵
- Loads dropped DLL
- Modifies registry class
PID:2860

C:\Windows\system32\sc.exe
sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
7⤵
PID:2672

C:\Windows\system32\sc.exe
sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
7⤵
PID:2744

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
7⤵
- Loads dropped DLL
- Modifies registry class
PID:2884

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
7⤵
PID:2288

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
8⤵
- Loads dropped DLL
- Modifies registry class
PID:2412

C:\Windows\system32\sc.exe
sc.exe start "McAfee WebAdvisor"
7⤵
PID:2308

C:\Windows\system32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
7⤵
- Loads dropped DLL
- Modifies registry class
PID:2452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.microsoft.com/en-us/download/confirmation.aspx?id=50040
3⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7PGKVK8Y\accessruntime_4288-1001_x64_en-us.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7PGKVK8Y\accessruntime_4288-1001_x64_en-us.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484

C:\Users\Admin\AppData\Local\Temp\OWPFE8A.tmp\setup.exe
.\setup.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://microsoft_access.en.downloadastro.com/thank_you/?utm_source=ira&utm_medium=offer&utm_campaign=microsoft_access
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:296 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"
2⤵
PID:2548

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:2552

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\x64\IEPlugin.dll"
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:3000

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
3⤵
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

New Service

T1050

Browser Extensions

T1176

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp2421586416\browserhost.cab
MD5
bddef192bda3d69347ae7c902459cac4

SHA1
053ef39a433cab04a007a2977e2438e0f0d7304b

SHA256
7b1cec84c35648a2d59cd393efb5af37ca4865747a76694aa37fccdcafafacb6

SHA512
1b54dcbd310d006983e771133d702ac98b00bfa2496d8965487c4bd0727801d52182f9204ec0f7aed297995d56db29442bf8db27cc2dc34743487bc244dd5ae1

Download Submit
C:\Program Files\McAfee\Temp2421586416\browserplugin.cab
MD5
87c8842f5be0e5d4032d88721fd89231

SHA1
ef88c10a52a635535e67b740fab3914b7aa514d9

SHA256
707bf1c02ad103e8c213af83ac6e4a2776e1a709512165c86a2c23d7edfee2b1

SHA512
3207a965e4b0aff36df3f88afcc104ec5a40fb7cc830b1b6ebcc513d878030d0bd2f63c2a71d9da86b0cf6f8fbc8ea82259cb5327059130e15e9b24caf7cbb61

Download Submit
C:\Program Files\McAfee\Temp2421586416\downloadscan.cab
MD5
e882de09d6a24c9bdd2d6f8980d668ad

SHA1
7b31eb66279124d40577cc69dc09c691aaad0ff6

SHA256
b01b2f7fb59d3ff8debc2900b0f4912c1a14df7799aca0dca3156109c20232bc

SHA512
df89bd84260e2c10ad580f1abedecf8345e118e60c311403a749395a05df4402ca689ed9a02289df9ca8bfde68f6d2f3278600ee5335734f05790860a4c09f96

Download Submit
C:\Program Files\McAfee\Temp2421586416\eventmanager.cab
MD5
de232c8951891a024b2e488ba5f60fb6

SHA1
298cbcb970f7770691a1b2d09cb9dfeb6c90f6a5

SHA256
f4e32dde66dd0ce7e66687e459289f3bf8df7626b03dc74fcc7e52258277622e

SHA512
8c45d0f569cb3b0cfebfae1b266bdece81111e9334b397b878270d450bd071730d2a1c53337b4c9302e45dafc0d874d7bedc5375e8598004377afd6e92743892

Download Submit
C:\Program Files\McAfee\Temp2421586416\ieplugin.cab
MD5
8f6f1babb8a9c5182ec636596f5d9080

SHA1
e34133add5f8158f0b0bfdd409bdbbcb9cad9d97

SHA256
9cc4a7e3b8a8ca88abb3887e4441d595681ff12173456922564300ac72a82fcb

SHA512
26c3c766c23044a619fca39d894ded1f77be9635e964a356eea55da150ea841b4945466436b55ae1716a2207b77390b2d877429d74773057adc6455bdf7a0326

Download Submit
C:\Program Files\McAfee\Temp2421586416\installer.exe
MD5
15ba2f98dcedf27cab51dbaa05a68e02

SHA1
af6ee2c9471e95f9727853e0a11e70b83c0316b3

SHA256
f42176526212d09295b8852c744d4b9dc83d1a728349a62cc1661a87352a4dd7

SHA512
5221b19503f6b227e6567ee7e4032489febb1ada947bb0cde56abe01b3331276b98dc18ebf2b25830f9c891247d705f5707ab58f6190a101afd6ff274bccbb32

Download Submit
C:\Program Files\McAfee\Temp2421586416\l10n.cab
MD5
ca6474c0282a34344b50762ec3e1240d

SHA1
e6f550e80da4063b2bda28227223a0ddb268c2d6

SHA256
f0d1ba11eb66a0b1c90c167587d1c5094d7006c11d326fc4e9f7886cbde924e1

SHA512
f735f470c4462b8b750319e587fe71233e5064f30aee7d3fe0bcbbb8efab9bb26d9c483477bbb10bf66348462aac000a9edcc3080e10ea18cdf47f7a0a59afc9

Download Submit
C:\Program Files\McAfee\Temp2421586416\logicmodule.cab
MD5
a3e23345a0e3f68164e6470a47bdd377

SHA1
c3c9130890d22721ec25aad47d5cb2924cfdedc1

SHA256
051a1a7f602970d88a5affd2af5ada6e9bf0ce2972862da48648f9afb29f00b3

SHA512
dbeaa38b178552acac1c62e5642ca8b1a5bcbe1273b76552db4d4c798d8bc35f9d779234f33f6e338351fa727a7442f8bb7709b620a069cf8831b76044df8422

Download Submit
C:\Program Files\McAfee\Temp2421586416\logicscripts.cab
MD5
365e2cbe41d5a45a6de44e5edbde6cec

SHA1
96bfb12146579f3975888affa1ea92626cb10f07

SHA256
9788732f311062e3fdbc26072120488614af93f7b0a08a8c4a05c6099af65f52

SHA512
3a69716aefed860221472f7bfddf034de013f5b6c60b69e3cad8b284c89a894f3899f6dedc66c38e1f4f6c1e1e1d9fa19b09d9628f7ec6a5f3c4aea2604247c4

Download Submit
C:\Program Files\McAfee\Temp2421586416\lookupmanager.cab
MD5
5109c4144176ff2b91644a05a6486fcb

SHA1
2ef12a1e36d876ffed48f792fc46ffe043d07248

SHA256
059aaa5b520613cc747d0154bbce0c3c162e38173b9c6ef4cc7a24e23ffdba7b

SHA512
c70f8d6519e42cd5ef307655c4a640fd5b4c13dbc723e6ec5cd25e2f7be497034e0e5c8a397b6da394d4042bb1d76588e02ac8eebcb720ce7239f6e1aa0c70fe

Download Submit
C:\Program Files\McAfee\Temp2421586416\mfw-mwb.cab
MD5
e300dd5264c3e666cefb8598da25f8ed

SHA1
05801046504586861fa7585a7d8c9f9798431500

SHA256
12c319eb82051eb7b7e1ba7451d58408fc0c363f2167264698535fa753006316

SHA512
aa2e2ea81f459cedf582707c6af004dbe4d380f3902925d83a994075ff87f10be8901d2b9b0010e65868b7d9eb6eeff4b38d7987a20a9f98775e24f7101815bd

Download Submit
C:\Program Files\McAfee\Temp2421586416\mfw-nps.cab
MD5
3ddce0d908f6dd1dd9f59298c8f8851e

SHA1
eda3fb1d69718a740e077c03d8d1e7cd03224e64

SHA256
dd21b663dfaa1dfa73bac2506a8f565d3e5d4634f42ffa20bb46f4221cc99a42

SHA512
a5003dae555f67bcae62664fa720aa5bd6768ecdc88e6080a78faae2c3503b72fee407fe9fc47ce501fd78fe6e03c0e3b60b9735eac6795d1ab8a81f7d39af52

Download Submit
C:\Program Files\McAfee\Temp2421586416\mfw-webadvisor.cab
MD5
e4e957108b7be85cd5f121ce5b941ec3

SHA1
65b2926e79b603a5f4dbbb09c74d98e5366ebfab

SHA256
b6140b10390ebc51eba97deaf7178b42c664ea7fb21462b2d55ab33d6fc41aeb

SHA512
ab43ce6b3ba374c80813a726c507244025bf4b40b1b52a9f4ded466aa4c24e4063dfdd0791894a6dd7c6877a8dc9b19da250c15a8ff0200389e80a7d548cd64f

Download Submit
C:\Program Files\McAfee\Temp2421586416\mfw.cab
MD5
a0f6c028d2e90650be853fcf31be934c

SHA1
1e9d889f95e1e53017580032db2bf91b5e0c4bc9

SHA256
95467177c012fa29bb7e91d425c82dc495d3a7140c3b98e1f0332f2e867471d3

SHA512
b3a6ecfbe935586310c1da26c4e5f0bf671fd2654a25b63c17bb54b81a9391663b486ac460999f916c4fa9ddf06fd74a611b88b92885c2885f14cdb1f065b424

Download Submit
C:\Program Files\McAfee\Temp2421586416\resourcedll.cab
MD5
cb83b1d9c15d88acab61df429e4e72c8

SHA1
0f1969eb3aa7941041da64b6f97f50d7c577fcd7

SHA256
9c63b6d9b27d072da4557591e637798de487aa6ebae4915626ca7c97305e1e19

SHA512
196304a4f412a71faae4812873b8a9d4fbbb96d419271f9cd4eb071c5cc0c2f50b73c02e236f389db7ca14e6d527512a90a617f438b323b50391e616d75144f0

Download Submit
C:\Program Files\McAfee\Temp2421586416\servicehost.cab
MD5
dc9a96708ae1f24ebf312b5038e4a143

SHA1
de77e06cdd23684007a5652b1a07c3e16ccec427

SHA256
49a6ba4c386be7a27037d705531fb1ff62670b00ba21ef8022cba1bcbab2d31a

SHA512
29c82a626ee14a1ddc9780f524b26d95a06991ad8d7cb22bf56b085bc5352bdc83f4ebefe37dfdde4a44c994bd158f53ced746d5702083134a3b3f7073211d41

Download Submit
C:\Program Files\McAfee\Temp2421586416\settingmanager.cab
MD5
7fbe75eb8a728a6567f29c9e1831d66e

SHA1
fc78d5ad11581ee979dbf42085640bf601fe8629

SHA256
12f483411762e63a69e15d0d6df36a1eb793422c0180d82ed151a93eb3ab208b

SHA512
58537a21289bc894cbd40b03780fdf30f75b6808343e184e05c0738e8f7534e6440c682e00102606a505c3343f7645f9c8c800b5ee3ba640a285db5730b648c2

Download Submit
C:\Program Files\McAfee\Temp2421586416\taskmanager.cab
MD5
633bbeae5c10a81584b3aa22fd3cd350

SHA1
6c2f549796c831bfc21b7f4495922f2eedac97d0

SHA256
33b1e09408fc4b51d9146e6c35048ed80f0e294a38c94e430e25404cf5769cb2

SHA512
7edf916caab0c03f7ba589d7e7936021500f69faab44eb4983b62c6d4b5783687ab4acf3879a39cccdb60d3c8d13fb61174e55df3d3cb7235168660634349605

Download Submit
C:\Program Files\McAfee\Temp2421586416\telemetry.cab
MD5
9fecaca5461774b0f6bea706e361a0d2

SHA1
b0d619d2fa6bdc6559a8717afb6d9bfcadb1ae29

SHA256
94e3e46bcc07909c02565984b03525efe2d73d502c832e0e75a01fa4d0c70e05

SHA512
ba17af00427c4c7be71b9ef0db16897b496439361fd692bc153c4e739d2c1cf5a8229b432d9a3312910be25998bc83abe9f60bca8c75f62287a4a5d044a82440

Download Submit
C:\Program Files\McAfee\Temp2421586416\uihost.cab
MD5
435efd5b88dbb0d19dba5d9975095032

SHA1
f2efa2ffcf87d119dfe6b8c7fcf92ac1e7cf16c9

SHA256
001944ba6060d70482848aae622afd759775f06f470062fb2835f776420ac0fa

SHA512
d49019ddf4d77ed75b158d3972212484a46386c64c06ffe737e235b77a164412370e4fcc5190b8dd5b94338f8f468d484f7f6b9540733f1e340a20bc7eea65c9

Download Submit
C:\Program Files\McAfee\Temp2421586416\uimanager.cab
MD5
b9f348a640e45d0ee744d30d4bf106e7

SHA1
6f45f3941b3e36a9328430163926bcd28f776631

SHA256
219f61c88cb7b531a765a812645b2f68b132839d36525435c711e6fdfee32a5f

SHA512
98720e2e0af9f1368e16efe9d92a9be6b19f0ea6068df76a04b07df5dc5ae0bc8df8451928fd2467add97a5c85ca7b05627f7f38d66848108a4e7ae9aabc4450

Download Submit
C:\Program Files\McAfee\Temp2421586416\uninstaller.cab
MD5
a6c8f3564d9365cd4d4fac4203aa4489

SHA1
d9ee341a29d75d66fca7fb3c681ed758c3248691

SHA256
fec19599e6b77aaf4d3e96e3d799743ece34823cbf2307a9f001399753ac6098

SHA512
1b94fb62f8a40fcb9805c8fee1e55c45546997ab68bfd3b4a314c2d61c67fcdf65848d5324b7b50b47ee10fd622cbb6a562a5f2f03cc0e17cfe1eb1ffc8fc7f2

Download Submit
C:\Program Files\McAfee\Temp2421586416\updater.cab
MD5
67dd8cf2b891e7903ba847f1e0bcbf3a

SHA1
97eefe7290ef967c64a85cdc84bcbf7e584970b1

SHA256
288afca1d7d93cbf157b1ae4c37054433e24a963e17210aa4af2285b0b04dcbe

SHA512
bc0c76e86f02ee6cba1b77a3962b1ff2805f07b7ba8d7decf4ec201f626ee4d4c85b594819b0f3c7dd43dde279b1cedf2e98c0b8e241f364a0e23a28c7f5b764

Download Submit
C:\Program Files\McAfee\Temp2421586416\wataskmanager.cab
MD5
2f1a14a1901f1ff11a8818efc6428e02

SHA1
c2f269eb8cec5139dc60da64a18c7f4aef57e743

SHA256
ed84b1b8fb455df184c98e2c70e6c3b4a59d5f49c07fa955fba625489a624aad

SHA512
f9ef8a10f578c0fa21123d29b909b7fc2a904974065c8dcc7c7b6e16698946a00a002f7b333835c7479d35ae01ed6735523e8a3a42be4dec7748c2e85d1f0804

Download Submit
C:\Program Files\McAfee\Temp2421586416\webadvisor.cab
MD5
e5e4ba8c34c3f8bf95e9fb6a64efaf6a

SHA1
196b5eef9d890b0985bfada50f84e73b772fd342

SHA256
8d26bc1b151876636e9395c6bf25685dfa93c5f4bfea0a604f3bffe2246cabdf

SHA512
7346822a3c66626c239d85c296c93c670023f377f3ff301a43280d0d12f8353708a6cea9ed54489d9282d43975b1b5239ef31acd9daf90939b91df1c5c5de619

Download Submit
C:\Program Files\McAfee\Temp2421586416\wssdep.cab
MD5
3d3e5189104c61b7525e57e6140c3232

SHA1
b33f9b82a4717735325ef6e6f958ec0ea032e34a

SHA256
fd31b2cee085eec36bf880b1fd1a63a13f9fbb7be851ed0ed900e2f842ef31cb

SHA512
5618e823f595f731b06becb1e7e02493aa3d3eaa708129b8d16d6b10dcf660570f7b9bb4d000d4f2ff57ff447fc79cb278d37bba6aa45670002819f094c6cf90

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll
MD5
1dd3cd6da8ef45c475c63814d91e21bb

SHA1
4d64336827eca40e04ad8b0e83ab579e6f6381e7

SHA256
c0aee4489229c43a348f92ffc693178c169edc9ac6941f6849202b4d95fae04e

SHA512
7735f63af680924991904d5856394d60a845f599154049a04fb2d616c50b88d932bfe1a1812923020352f6889a7606721e2ae83d9edf426b1a4a6c640f30391e

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll
MD5
ade3bd3a5347ae4d81964bdf905dbd17

SHA1
1e0423bbc36dce468d3ebaa23712168fe1c9159a

SHA256
c27994093ca3d708c5bd64d4b7f2ba9774fe69b3a15935b6596b568f64c0ad9e

SHA512
67fee125dd3802cde488d62f312f8716722071e9d0dbea8be006d3102fed2925565f5ab8b2a4b6f482c58932b6400cfa776d5b3a5a98f9fbdaeb6263be400fc3

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll
MD5
379675db5538974e9e6f9ae857a14535

SHA1
418af16805558b6d870bae693549668abf2fa515

SHA256
e882a0d808459fac59a756bfd48962756b296abf065e65cd1d6e7b40cb43d16f

SHA512
fedf1eb9b2b33ea673bfb581bad56de581343b511e87bc582ed6cc19a7886a707e3cb81abe8c4d61276a696d2782d0c961f0613f1f61d384a720050392572c9c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt
MD5
1046afe268c8fbb8bf6f67ddbd133d87

SHA1
0842ac10a54e4c6cee85151b85502e3e804e79bb

SHA256
8806077fd65830e82d45592955c213a0687d9b2f679815322708b915e7e59878

SHA512
32e9215f1a102f3c5fac0986bf472a40ac31944f3afd1a3ff6217a0f8818341fa28e4ad8585fb669df77c0b6890622c31fda49b0cfa68c21e8c8cd1625754aa6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
MD5
7971be579c57979137aae547f285a3e2

SHA1
5d1fd6118fcfb46fc7065fda61cf61405deb3e56

SHA256
fe6a53a02b68dea848af534e32b5cefee54059de5a0bf3dcff7233f191e887aa

SHA512
3e2c28f886cdfaed66ae0a395996df03bba6d6dae9f3c0c35461509a8dcaf7595304e1bb267c0c0afce7f7a2b14d9a3c23720014db728ab2df5f0d3da26e2e70

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
MD5
9b902e32811a5c365ac341a6449f2b58

SHA1
39f5145eba5ed161b6df40b430411ac427609b52

SHA256
1a5aa1672c64f6e1db0079b57d4e99d3ea9100ec78309af7ceb308ea0f1c303e

SHA512
17866d1b09542dc9827acd3c65db0eef86700b1fcdb7ead9cec52521936ffc93c22c3be13d0bc8728df7773433bddbdeb29c807e764d019a82c13eba72d8470d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c423e93042dd1975e22e1f3dcc28652c

SHA1
4760b93b12428156ae12685110a2d429f07b1983

SHA256
c1242b07b178a611ff6f3b26ecab4be760504e63b5ecb00235448ee8d26c7b9a

SHA512
01a48e898f4c05fcc4fa2220a4da8fb3580ce7d9717a4a1ec9c6dceee00bcd67eb0d685aa2bfd331f132860df151f7c6104f0dfd02cb1f32a14c9f45114b33cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b0dbd6818a7a3c1b6bc03ed36f45fa03

SHA1
8694a36f4e65a8034c41a48c531ccd5b0fd075b0

SHA256
c50b9c4ebaaddffd0469e7447b1815cd814c4f2b37b164935c8e7d2e4655139a

SHA512
cbd21d6746f5531ae5b661528ff1dc2ace559dd53ee796788b78284b5b418d94094be6fc52a6a0bc1961f6c34dbdd48f78b089fb77f9ad814477945f4c1ed950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
48542b3954053095b8003706a56a1a84

SHA1
3a2ba438f51b3ec19bc9b09bbcd5b6781bd59c06

SHA256
5da11a4e5d56eda3838267731e98c5c94480a22e01ceb76aa770e1d74ba4b915

SHA512
15be6c33eb7a4cecf86ed6311d6b5a9f6fa44df36184d4e1b24b3d6a62443b534da17ee448fbdc181a354ae8484fa81cf2c30f440006b7af2453adfd53ab3523

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e06d6460ddaf9809ee868e2cdd44318b

SHA1
01fb113f7cf0a6b44f51cc005f54a8995332eff1

SHA256
e37665918a83f71687853ae0127f0b33ac10c3cc175c7c5996c13bbb78c714ae

SHA512
5713df230f98b0a30f77c37639f9b9881eefde99399864a20ba54d828f130be690e1d536c2c30d9ac3105f753694b25baea997846e5646069b57073227487591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ce87db7a875aa7a472ba035d399975b2

SHA1
eea6a2c66139cee7c7b0c3fab7431b1ee49fd236

SHA256
d98740ab94ad37e7b5b3bc983c49be010a539ce738ff4929c7177ef2f9c41f2c

SHA512
a1d6a1f51e1d794d26ee23406ec6af2e32f56a3a9cb3ecce0e200f3c6b5de8e72e7a764a38f90e2f502f010a5d2643a86df7aec7af990a1d015cfa92ada8cb19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
73296737f809e77ee67eacd55c3858c1

SHA1
9f9c20c66f8c2eca92cc7d508ee646f09008330b

SHA256
f1db9f98c5a22ea4842b441682b1d7f527b0e445b3bfad9b509b720f97165ee2

SHA512
b0772c37f5a95dce0462930154e678f9a28c3556f124d34fbec5326f4888f10b98ec64e7790c5b7dd4c438cf414b895f527e210b46d95599d1695307bae163ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
f87f98eb4c3d2c38f1265d75be7bc9da

SHA1
44445b7ec57875021ad58442609d4a4cb701e6c9

SHA256
0252ba760abf7261a209a4ce637ccbe1e5f4d0130c60aa013854cb83d5170c30

SHA512
c293dcc9a5b30ae70c8205a75b6fbf3b478654883d2dce9e768239d0c332e820a17bc1ae3bab52dcb1205994124bbf3ad882df37a97a1a52063534e5c6f81046

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c1d1460daaca6ae227b49889a43b3692

SHA1
970d76ef1484ea8993a645a727f9a72dcc80b8aa

SHA256
41b48336068b378ea4f41072f759407935bfa68737c8e8fd99ec9099eb9369bc

SHA512
a1d77d85331f9a3c2f11d243e7c4bdc30f1b151833ea52813f8b795dfc46b6962673748bd74617dd036b3594196e3e85a5f1abc2b63917bd8b26f8d497ffe620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
adb01feeb51d88ff3a83863cd104e64a

SHA1
7ed499000e94acda80d15914b94b0e3e9f986007

SHA256
c702e8f63cf040c240309639b30cc14b8bef8f79f7d5a60107cb9a9fefe466ad

SHA512
9a94111beed21cc7fb2abc79d1083e74aef5ed067e4d3e52b15b561b7b40aedad89c7be96674f8d4def6c69a6fc6a199d6f279d5dc2284d0ca7672b197f2ba05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
16ab1b58a2bf3d173b678204bf7c30d4

SHA1
b193759a4f1a5e37bcea78d1f5de5a6765f4d89e

SHA256
e51e58ff6f0eaa92559916c64e16dbc7aafba8cdabaac908b8f6eaeb578cee33

SHA512
b3d9a4ca6a1abd7ed44ba511395b919d2d852ce59100a0137ca6b639ab882b5d526897463cf7b073b680e17c0b262c7a665e853aa7475a80d9f1796bc5c89269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FDB0F81-7F56-11EC-B219-F68F69E5D60B}.dat
MD5
c3ecaf33d3a88ba33411c9c4d7d66f3c

SHA1
baecf293a1de1908091ac84895f5f63969f8d984

SHA256
63a01e220532060965e4d0809c9912257517e8620055d48dca3291f30d601b42

SHA512
1f2e35376136266ee0b7aded2e554b244d65cf9866747fe6440dd934162645ad8f9465390676dfd30b0dc160fa82dc7db0e58956fffe1abd88995320193a7afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FDB3691-7F56-11EC-B219-F68F69E5D60B}.dat
MD5
eb0f8a62cd1715eecb86933554976e21

SHA1
6e3ee880f1b4783d978cd06f4e53539b9757d4a1

SHA256
2e1c55c0fe6bfa7783ee7026a4ade80e7bbd51d2ab815c6a406b2cd77f0f0e7e

SHA512
a5777410996d0fcd8858e758d300eb4e8ffda7afe48f931052cf2992b4091e7c71a9d210a52b2b524d6c735c94885925a42bfbb8f14de419584f13c4891f545e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat
MD5
0f8d3673c48fbe64be8f7a533a10e3f6

SHA1
2dc65ee1bf7e5fb077ba06086216f3e46d0acf2b

SHA256
1f45a0abaeecc4f3bc501550378e90a1df95c29aeb3d0d2b5a16b7fe21259fbe

SHA512
ef2050c1cff74171d14ba0d1ddbc6fcc43901c84c99dd3e3d23c0207f33f8e051d311599177dfedaf72208b10403a95ddb72299fdc369b19e58ba9b76627f425

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-11UB1.tmp\microsoft_access_pat1X-1.tmp
MD5
2ae058a6c671479a4fba4c6013518363

SHA1
96ea725f9d2e17c2085388ce70be6ae112f366b7

SHA256
eecad32b84d399f8fdb29128a6715f30993fd6d94eca73684133fc3811d1f153

SHA512
6e3b7cb76d525926b67596ee7e47b91f9a0a0b3589f37e93e424d5b41a6ccb313541b4fad217b82c291a22085b6a8ffb41007a2283e12eacc3d6664599c48e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\prod0_extract\saBSI.exe
MD5
211f842d6081bba42c3e7fdd372e0986

SHA1
fa96b4b66bf3f37b3bf6ba322213003dc0198d9e

SHA256
d5be427d9f42ecf0a37f1c7ed4cb75499f3f61e9a4e67d6b5d0a0b759436f8c5

SHA512
bb742a89a7d4204b71c40e15488024da26a6a3dfd665e19a2b8dae940f587eee09de20e12f5adfbf39e896dd7e62025944bc0bf4c443f6aec372a096353b41e0

Download Submit
\Program Files\McAfee\Temp2421586416\installer.exe
MD5
15ba2f98dcedf27cab51dbaa05a68e02

SHA1
af6ee2c9471e95f9727853e0a11e70b83c0316b3

SHA256
f42176526212d09295b8852c744d4b9dc83d1a728349a62cc1661a87352a4dd7

SHA512
5221b19503f6b227e6567ee7e4032489febb1ada947bb0cde56abe01b3331276b98dc18ebf2b25830f9c891247d705f5707ab58f6190a101afd6ff274bccbb32

Download Submit
\Program Files\McAfee\Temp2421586416\installer.exe
MD5
15ba2f98dcedf27cab51dbaa05a68e02

SHA1
af6ee2c9471e95f9727853e0a11e70b83c0316b3

SHA256
f42176526212d09295b8852c744d4b9dc83d1a728349a62cc1661a87352a4dd7

SHA512
5221b19503f6b227e6567ee7e4032489febb1ada947bb0cde56abe01b3331276b98dc18ebf2b25830f9c891247d705f5707ab58f6190a101afd6ff274bccbb32

Download Submit
\Program Files\McAfee\WebAdvisor\win32\wssdep.dll
MD5
ade3bd3a5347ae4d81964bdf905dbd17

SHA1
1e0423bbc36dce468d3ebaa23712168fe1c9159a

SHA256
c27994093ca3d708c5bd64d4b7f2ba9774fe69b3a15935b6596b568f64c0ad9e

SHA512
67fee125dd3802cde488d62f312f8716722071e9d0dbea8be006d3102fed2925565f5ab8b2a4b6f482c58932b6400cfa776d5b3a5a98f9fbdaeb6263be400fc3

Download Submit
\Program Files\McAfee\WebAdvisor\x64\wssdep.dll
MD5
379675db5538974e9e6f9ae857a14535

SHA1
418af16805558b6d870bae693549668abf2fa515

SHA256
e882a0d808459fac59a756bfd48962756b296abf065e65cd1d6e7b40cb43d16f

SHA512
fedf1eb9b2b33ea673bfb581bad56de581343b511e87bc582ed6cc19a7886a707e3cb81abe8c4d61276a696d2782d0c961f0613f1f61d384a720050392572c9c

Download Submit
\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
MD5
7971be579c57979137aae547f285a3e2

SHA1
5d1fd6118fcfb46fc7065fda61cf61405deb3e56

SHA256
fe6a53a02b68dea848af534e32b5cefee54059de5a0bf3dcff7233f191e887aa

SHA512
3e2c28f886cdfaed66ae0a395996df03bba6d6dae9f3c0c35461509a8dcaf7595304e1bb267c0c0afce7f7a2b14d9a3c23720014db728ab2df5f0d3da26e2e70

Download Submit
\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
\Users\Admin\AppData\Local\Temp\is-11UB1.tmp\microsoft_access_pat1X-1.tmp
MD5
2ae058a6c671479a4fba4c6013518363

SHA1
96ea725f9d2e17c2085388ce70be6ae112f366b7

SHA256
eecad32b84d399f8fdb29128a6715f30993fd6d94eca73684133fc3811d1f153

SHA512
6e3b7cb76d525926b67596ee7e47b91f9a0a0b3589f37e93e424d5b41a6ccb313541b4fad217b82c291a22085b6a8ffb41007a2283e12eacc3d6664599c48e75

Download Submit
\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\botva2.dll
MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\prod0_extract\saBSI.exe
MD5
211f842d6081bba42c3e7fdd372e0986

SHA1
fa96b4b66bf3f37b3bf6ba322213003dc0198d9e

SHA256
d5be427d9f42ecf0a37f1c7ed4cb75499f3f61e9a4e67d6b5d0a0b759436f8c5

SHA512
bb742a89a7d4204b71c40e15488024da26a6a3dfd665e19a2b8dae940f587eee09de20e12f5adfbf39e896dd7e62025944bc0bf4c443f6aec372a096353b41e0

Download Submit
\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\prod0_extract\saBSI.exe
MD5
211f842d6081bba42c3e7fdd372e0986

SHA1
fa96b4b66bf3f37b3bf6ba322213003dc0198d9e

SHA256
d5be427d9f42ecf0a37f1c7ed4cb75499f3f61e9a4e67d6b5d0a0b759436f8c5

SHA512
bb742a89a7d4204b71c40e15488024da26a6a3dfd665e19a2b8dae940f587eee09de20e12f5adfbf39e896dd7e62025944bc0bf4c443f6aec372a096353b41e0

Download Submit
\Users\Admin\AppData\Local\Temp\is-R0OQF.tmp\zbShieldUtils.dll
MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/1508-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1508-54-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/1668-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2296-126-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-136-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-131-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-137-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-138-0x00000001608C0000-0x00000001608D0000-memory.dmp

Filesize
64KB

Download
memory/2296-140-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-139-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-141-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-135-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-143-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-144-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-145-0x000000016AAF0000-0x000000016AB00000-memory.dmp

Filesize
64KB

Download
memory/2296-134-0x000000016AAF0000-0x000000016AB00000-memory.dmp

Filesize
64KB

Download
memory/2296-147-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-148-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-132-0x00000001608C0000-0x00000001608D0000-memory.dmp

Filesize
64KB

Download
memory/2296-150-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-151-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-152-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-153-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-154-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-156-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-157-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-158-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-130-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-159-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-160-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-161-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-163-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-129-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-165-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-167-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-170-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-169-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-128-0x0000000106520000-0x0000000106530000-memory.dmp

Filesize
64KB

Download
memory/2296-171-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-127-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-125-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-174-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-176-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-175-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-178-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-177-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-179-0x000000016AAF0000-0x000000016AB00000-memory.dmp

Filesize
64KB

Download
memory/2296-189-0x00000001608C0000-0x00000001608D0000-memory.dmp

Filesize
64KB

Download
memory/2296-188-0x00000001660B0000-0x00000001660C0000-memory.dmp

Filesize
64KB

Download
memory/2296-187-0x000000016AAF0000-0x000000016AB00000-memory.dmp

Filesize
64KB

Download
memory/2296-185-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-184-0x000000011ED30000-0x000000011ED40000-memory.dmp

Filesize
64KB

Download
memory/2296-183-0x00000001608C0000-0x00000001608D0000-memory.dmp

Filesize
64KB

Download
memory/2296-182-0x000000016AAF0000-0x000000016AB00000-memory.dmp

Filesize
64KB

Download
memory/2296-181-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-190-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2296-191-0x0000000152FF0000-0x0000000153000000-memory.dmp

Filesize
64KB

Download
memory/2296-101-0x00000001696B0000-0x00000001696C0000-memory.dmp

Filesize
64KB

Download
memory/2636-133-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

Filesize
8KB

Download