5234cd925873feff87965216e88adebaa7b9349383906bbd4a7c471f4023b6ba

Analysis

max time kernel
90s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BitlordSetup.exe
Size

2.5MB
MD5

bb7701d6da492352bb2ac2c86462d253
SHA1

339afb386d5667ce36528de65d6809582b9697b9
SHA256

5234cd925873feff87965216e88adebaa7b9349383906bbd4a7c471f4023b6ba
SHA512

6321c10d09f76fbc76761f3d52bc1892e3687d9cf3c49c3dc392587ebce54ba58eafde58ff5c9b707dfa9007ef4bf01dcbd12bd3cf8624c406a6548037054028
SSDEEP

49152:/qe3f6ZL+H98AHaCfu6TfO6VWqUvQaydU9VIL7pR:iSi5E9vBuyVZUqUVIL1R

Score

10^/10

coreentity discovery persistence

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/5072-375-0x000002410E290000-0x000002410F290000-memory.dmp	coreentity

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

BitlordSetup.tmpbitlord-2.4-win32-silent-setup-ver358.exevcredist_msvc2019_x86.exevcredist_msvc2019_x86.exevcredist_msvc2019_x64.exevcredist_msvc2019_x64.exesaBSI.exeprod1.exe0vcdazvv.exeRAVEndPointProtection-installer.exesaBSI.exersSyncSvc.exersSyncSvc.exeinstaller.exeinstaller.exe

pid	process
4860	BitlordSetup.tmp
1764	bitlord-2.4-win32-silent-setup-ver358.exe
2192	vcredist_msvc2019_x86.exe
4012	vcredist_msvc2019_x86.exe
4888	vcredist_msvc2019_x64.exe
4564	vcredist_msvc2019_x64.exe
3588	saBSI.exe
3024	prod1.exe
5116	0vcdazvv.exe
4616	RAVEndPointProtection-installer.exe
3788	saBSI.exe
3032	rsSyncSvc.exe
2112	rsSyncSvc.exe
1804	installer.exe
4324	installer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BitlordSetup.tmpprod1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	BitlordSetup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	prod1.exe

Loads dropped DLL 8 IoCs

Processes:

BitlordSetup.tmpbitlord-2.4-win32-silent-setup-ver358.exevcredist_msvc2019_x86.exevcredist_msvc2019_x64.exe

pid	process
4860	BitlordSetup.tmp
4860	BitlordSetup.tmp
4860	BitlordSetup.tmp
1764	bitlord-2.4-win32-silent-setup-ver358.exe
4012	vcredist_msvc2019_x86.exe
4564	vcredist_msvc2019_x64.exe
1764	bitlord-2.4-win32-silent-setup-ver358.exe
1764	bitlord-2.4-win32-silent-setup-ver358.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

bitlord-2.4-win32-silent-setup-ver358.exeinstaller.exeinstaller.exe

description	ioc	process
File created	C:\Program Files (x86)\BitLord\plugins\codec\libaes3_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\spu\libremoteosd_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_filter\libedgedetection_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\jslang\wa-res-shared-cs-CZ.js	installer.exe
File created	C:\Program Files (x86)\BitLord\Qt6Qml.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\Qt6QmlModels.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\VLCQtCore.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\libvlc.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\access_output\libaccess_output_dummy_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_filter\libextract_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libes_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libxa_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\stream_out\libstream_out_gather_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\sw.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\jquery-1.9.0.min.js	installer.exe
File created	C:\Program Files\McAfee\Temp2978750519\jslang\wa-res-shared-sk-SK.js	installer.exe
File created	C:\Program Files (x86)\BitLord\imageformats\qsvg.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\audio_filter\libspeex_resampler_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\codec\libvorbis_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libflacsys_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_filter\libgradient_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\jslang\wa-res-install-fi-FI.js	installer.exe
File created	C:\Program Files (x86)\BitLord\plugins\access\libdvdnav_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\codec\libtheora_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libsid_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\da.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\logicscripts.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2978750519\wa_logo2.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\servicehost.exe	installer.exe
File created	C:\Program Files (x86)\BitLord\plugins\access\libaccess_realrtsp_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\codec\libx265_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libvobsub_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\stream_filter\libcache_block_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_filter\libfps_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qt_sk.qm	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\wa-install.css	installer.exe
File created	C:\Program Files (x86)\BitLord\plugins\access\libtimecode_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libdemuxdump_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_chroma\libi420_nv12_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_output\libgl_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\en-US.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\resource.dll	installer.exe
File created	C:\Program Files (x86)\BitLord\plugins\mux\libmux_wav_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\stream_extractor\libarchive_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\stream_out\libstream_out_autodel_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\position\qtposition_winrt.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\tls\qschannelbackend.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qt_cs.qm	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\ca.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\taskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\type_tag_utils.luc	installer.exe
File created	C:\Program Files (x86)\BitLord\BitLord.exe	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\audio_filter\libspatializer_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\meta_engine\libtaglib_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_chroma\libgrey_yuv_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_output\libglwin32_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\et.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\jslang\wa-res-shared-es-ES.js	installer.exe
File created	C:\Program Files (x86)\BitLord\plugins\demux\libmod_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\plugins\video_chroma\libi420_rgb_sse2_plugin.dll	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files (x86)\BitLord\translations\qtwebengine_locales\uk.pak	bitlord-2.4-win32-silent-setup-ver358.exe
File created	C:\Program Files\McAfee\Temp2978750519\jslang\eula-tr-TR.txt	installer.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4672 sc.exe
1004 sc.exe
1820 sc.exe
3540 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4672	sc.exe
1004	sc.exe
1820	sc.exe
3540	sc.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BitlordSetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitlordSetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	BitlordSetup.tmp

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3804 taskkill.exe

pid	process
3804	taskkill.exe

Modifies registry class 23 IoCs

Processes:

bitlord-2.4-win32-silent-setup-ver358.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\shell\open\command	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\shell\open	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\shell\open	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\DefaultIcon\ = "\"C:\\Program Files (x86)\\BitLord\\bitlord.ico\""	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\shell\open\command\ = "\"C:\\Program Files (x86)\\BitLord\\Bitlord.exe\" \"%1\""	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\ = "BitLord magnet URI"	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\DefaultIcon\ = "C:\\Program Files (x86)\\BitLord\\bitlord.ico"	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\shell\open\command	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\shell	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\Content Type\ = "application/x-bittorrent"	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\DefaultIcon	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\ = "BitLord"	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\shell	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\shell\ = "open"	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\shell\open\command\ = "\"C:\\Program Files (x86)\\BitLord\\Bitlord.exe\" \"%1\""	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "BitLord"	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\Content Type = "application/x-bittorrent"	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet	bitlord-2.4-win32-silent-setup-ver358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\URL Protocol	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Magnet\DefaultIcon	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent	bitlord-2.4-win32-silent-setup-ver358.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitLord\Content Type	bitlord-2.4-win32-silent-setup-ver358.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

bitlord-2.4-win32-silent-setup-ver358.exesaBSI.exesaBSI.exe

pid	process
1764	bitlord-2.4-win32-silent-setup-ver358.exe
1764	bitlord-2.4-win32-silent-setup-ver358.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3588	saBSI.exe
3788	saBSI.exe
3788	saBSI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exeprod1.exeRAVEndPointProtection-installer.exe

description	pid	process
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3024	prod1.exe
Token: SeDebugPrivilege	4616	RAVEndPointProtection-installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

BitlordSetup.tmp

pid process

4860 BitlordSetup.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BitlordSetup.tmp

pid process

4860 BitlordSetup.tmp

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

BitlordSetup.exeBitlordSetup.tmpbitlord-2.4-win32-silent-setup-ver358.exevcredist_msvc2019_x86.exevcredist_msvc2019_x64.exeprod1.exe0vcdazvv.exesaBSI.exeRAVEndPointProtection-installer.exesaBSI.exeinstaller.exeinstaller.exe

description	pid	process	target process
PID 4396 wrote to memory of 4860	4396	BitlordSetup.exe	BitlordSetup.tmp
PID 4396 wrote to memory of 4860	4396	BitlordSetup.exe	BitlordSetup.tmp
PID 4396 wrote to memory of 4860	4396	BitlordSetup.exe	BitlordSetup.tmp
PID 4860 wrote to memory of 3804	4860	BitlordSetup.tmp	taskkill.exe
PID 4860 wrote to memory of 3804	4860	BitlordSetup.tmp	taskkill.exe
PID 4860 wrote to memory of 3804	4860	BitlordSetup.tmp	taskkill.exe
PID 4860 wrote to memory of 1764	4860	BitlordSetup.tmp	bitlord-2.4-win32-silent-setup-ver358.exe
PID 4860 wrote to memory of 1764	4860	BitlordSetup.tmp	bitlord-2.4-win32-silent-setup-ver358.exe
PID 4860 wrote to memory of 1764	4860	BitlordSetup.tmp	bitlord-2.4-win32-silent-setup-ver358.exe
PID 1764 wrote to memory of 2192	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x86.exe
PID 1764 wrote to memory of 2192	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x86.exe
PID 1764 wrote to memory of 2192	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x86.exe
PID 2192 wrote to memory of 4012	2192	vcredist_msvc2019_x86.exe	vcredist_msvc2019_x86.exe
PID 2192 wrote to memory of 4012	2192	vcredist_msvc2019_x86.exe	vcredist_msvc2019_x86.exe
PID 2192 wrote to memory of 4012	2192	vcredist_msvc2019_x86.exe	vcredist_msvc2019_x86.exe
PID 1764 wrote to memory of 4888	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x64.exe
PID 1764 wrote to memory of 4888	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x64.exe
PID 1764 wrote to memory of 4888	1764	bitlord-2.4-win32-silent-setup-ver358.exe	vcredist_msvc2019_x64.exe
PID 4888 wrote to memory of 4564	4888	vcredist_msvc2019_x64.exe	vcredist_msvc2019_x64.exe
PID 4888 wrote to memory of 4564	4888	vcredist_msvc2019_x64.exe	vcredist_msvc2019_x64.exe
PID 4888 wrote to memory of 4564	4888	vcredist_msvc2019_x64.exe	vcredist_msvc2019_x64.exe
PID 4860 wrote to memory of 3588	4860	BitlordSetup.tmp	saBSI.exe
PID 4860 wrote to memory of 3588	4860	BitlordSetup.tmp	saBSI.exe
PID 4860 wrote to memory of 3588	4860	BitlordSetup.tmp	saBSI.exe
PID 4860 wrote to memory of 3024	4860	BitlordSetup.tmp	prod1.exe
PID 4860 wrote to memory of 3024	4860	BitlordSetup.tmp	prod1.exe
PID 3024 wrote to memory of 5116	3024	prod1.exe	0vcdazvv.exe
PID 3024 wrote to memory of 5116	3024	prod1.exe	0vcdazvv.exe
PID 3024 wrote to memory of 5116	3024	prod1.exe	0vcdazvv.exe
PID 5116 wrote to memory of 4616	5116	0vcdazvv.exe	RAVEndPointProtection-installer.exe
PID 5116 wrote to memory of 4616	5116	0vcdazvv.exe	RAVEndPointProtection-installer.exe
PID 3588 wrote to memory of 3788	3588	saBSI.exe	saBSI.exe
PID 3588 wrote to memory of 3788	3588	saBSI.exe	saBSI.exe
PID 3588 wrote to memory of 3788	3588	saBSI.exe	saBSI.exe
PID 4616 wrote to memory of 3032	4616	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 4616 wrote to memory of 3032	4616	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 3788 wrote to memory of 1804	3788	saBSI.exe	installer.exe
PID 3788 wrote to memory of 1804	3788	saBSI.exe	installer.exe
PID 1804 wrote to memory of 4324	1804	installer.exe	installer.exe
PID 1804 wrote to memory of 4324	1804	installer.exe	installer.exe
PID 4324 wrote to memory of 1152	4324	installer.exe	regsvr32.exe
PID 4324 wrote to memory of 1152	4324	installer.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\BitlordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\BitlordSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\is-T2D46.tmp\BitlordSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T2D46.tmp\BitlordSetup.tmp" /SL5="$90046,1749784,882688,C:\Users\Admin\AppData\Local\Temp\BitlordSetup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im "BitLord.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe
"C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe" /silent /firewallexception /magnetassociation /torrentassociation
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files (x86)\BitLord\vcredist_msvc2019_x86.exe
"C:\Program Files (x86)\BitLord\vcredist_msvc2019_x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\Temp\{79CBB2EA-2E33-449F-81BA-71F34E4EFB45}\.cr\vcredist_msvc2019_x86.exe
"C:\Windows\Temp\{79CBB2EA-2E33-449F-81BA-71F34E4EFB45}\.cr\vcredist_msvc2019_x86.exe" -burn.clean.room="C:\Program Files (x86)\BitLord\vcredist_msvc2019_x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4012

C:\Program Files (x86)\BitLord\vcredist_msvc2019_x64.exe
"C:\Program Files (x86)\BitLord\vcredist_msvc2019_x64.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\Temp\{906FC3B6-9E1F-447A-A54C-ABF9F9B3D7EE}\.cr\vcredist_msvc2019_x64.exe
"C:\Windows\Temp\{906FC3B6-9E1F-447A-A54C-ABF9F9B3D7EE}\.cr\vcredist_msvc2019_x64.exe" -burn.clean.room="C:\Program Files (x86)\BitLord\vcredist_msvc2019_x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=648 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4564

C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod0_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files\McAfee\Temp2978750519\installer.exe
"C:\Program Files\McAfee\Temp2978750519\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SYSTEM32\sc.exe
sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:1820

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
PID:1152

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
8⤵
PID:3740

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
7⤵
PID:1988

C:\Windows\SYSTEM32\sc.exe
sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
7⤵
- Launches sc.exe
PID:3540

C:\Windows\SYSTEM32\sc.exe
sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
7⤵
- Launches sc.exe
PID:4672

C:\Windows\SYSTEM32\sc.exe
sc.exe start "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:1004

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
7⤵
PID:3628

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
8⤵
PID:1440

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
7⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod1.exe
"C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod1.exe" -ip:"dui=4cfb5922-b036-4c14-9ed1-03c0dad19fbd&dit=20221228092647&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=20f2&a=100&b=&se=true" -vp:"dui=4cfb5922-b036-4c14-9ed1-03c0dad19fbd&dit=20221228092647&oc=ZB_RAV_Cross_Tri_NCB&p=20f2&oip=26&ptl=7&dta=true&a=100" -dp:"dui=4cfb5922-b036-4c14-9ed1-03c0dad19fbd&dit=20221228092647&oc=ZB_RAV_Cross_Tri_NCB&p=20f2&a=100" -i -v -d -se=true
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\0vcdazvv.exe
"C:\Users\Admin\AppData\Local\Temp\0vcdazvv.exe" /silent
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\0vcdazvv.exe" /silent
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
- Executes dropped EXE
PID:3032

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\ReasonCamFilter.inf
6⤵
PID:2216

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
PID:4940

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:440

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load ReasonCamFilter
6⤵
PID:5060

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
6⤵
PID:540

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
PID:4588

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:4432

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
6⤵
PID:4396

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
6⤵
PID:1824

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
6⤵
PID:1684

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
6⤵
PID:3660

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
6⤵
PID:3380

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
6⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\ktdbyvkw.exe
"C:\Users\Admin\AppData\Local\Temp\ktdbyvkw.exe" /silent
4⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\nsvB88E.tmp\RAVVPN-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsvB88E.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\ktdbyvkw.exe" /silent
5⤵
PID:1512

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i
6⤵
PID:1564

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i
6⤵
PID:2396

C:\Program Files (x86)\BitLord\BitLord.exe
"C:\Program Files (x86)\BitLord\BitLord.exe"
3⤵
PID:5072

C:\Program Files (x86)\BitLord\QtWebEngineProcess.exe
"C:\Program Files (x86)\BitLord\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB --disable-gpu-compositing --lang=en --webengine-schemes=qrc:sV --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --mojo-platform-channel-handle=3296 /prefetch:1
4⤵
PID:2392

C:\Program Files (x86)\BitLord\QtWebEngineProcess.exe
"C:\Program Files (x86)\BitLord\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=NetworkServiceInProcess,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,InstalledApp,PictureInPicture,WebOTP,WebPayments,WebUSB --disable-gpu-compositing --lang=en --webengine-schemes=qrc:sV --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=3628 /prefetch:1
4⤵
PID:2264

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2112

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:1416

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:1348

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
3⤵
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
3⤵
PID:2460

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:1460

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:1532

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:4536

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
PID:2456

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
PID:4764

C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
PID:1804

C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 --field-trial-handle=2636,i,8694598660500073806,16215258954260823648,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:5140

C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2364 --field-trial-handle=2636,i,8694598660500073806,16215258954260823648,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:5188

C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.0.7\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2520 --field-trial-handle=2636,i,8694598660500073806,16215258954260823648,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:5216

C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.0.7\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2788 --field-trial-handle=2636,i,8694598660500073806,16215258954260823648,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:5404

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
PID:2164

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Privilege Escalation

New Service

T1050

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BitLord\vcredist_msvc2019_x64.exe
Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Program Files (x86)\BitLord\vcredist_msvc2019_x64.exe
Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Program Files (x86)\BitLord\vcredist_msvc2019_x86.exe
Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Program Files (x86)\BitLord\vcredist_msvc2019_x86.exe
Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Program Files\McAfee\Temp2978750519\analyticsmanager.cab
Filesize
1.9MB

MD5
d9ed32143b29f1984397547c0ec11186

SHA1
42f3f9a7de91a3e0d6ff6aa227b9d15f71a00216

SHA256
bd9ea533cc10d9915628194aa2360dededed4d46371eb4d4e6e8a23b5b23e82e

SHA512
135d3805689a8d13af3a5f0cb8d99ca0110a05e55c173242f24490af6ca284cac18a5e6a81be74848aa9006855bfcbb15470badf505775f5681dd61bea346f22

Download Submit
C:\Program Files\McAfee\Temp2978750519\analyticstelemetry.cab
Filesize
46KB

MD5
ecce29cf51add01c727908e9b613d0d8

SHA1
82ee27455c4b4f73ba0c506adbc7dd9a9c7d812f

SHA256
e162350e682c4dd2c7704c9bedaec14abee37b011cbd519271bf2d29a9e8effb

SHA512
7bb061e47ce0393c885ab74d0db3e78a681c24b0595039d4d40cca78b4a906ada29730d06cdb310330433a58c5a2f04bfddbb71381f9ce4b8ed1dbc2e86f7fdd

Download Submit
C:\Program Files\McAfee\Temp2978750519\browserhost.cab
Filesize
1.1MB

MD5
76f48416c6ca43d7cfb820f343fafa73

SHA1
6e4c1b2effda7b44a6515da619934ebc11b32dd2

SHA256
6d03577b4028046225e07072fef3d874d4056a8fd5b50efab6dc278ab5795784

SHA512
f78bdf1f00b8330b02fd24a02d02c9e894c790bb25c2b3401ccb5a871bb99a90135fc87b24533305994eb49eead0c038d7a37c381b6464d7cce98a355bb0a322

Download Submit
C:\Program Files\McAfee\Temp2978750519\browserplugin.cab
Filesize
4.9MB

MD5
012c7303407a5a430face5fc983696a6

SHA1
d6d636052d68ae227260e535e158183de9e5d47a

SHA256
c16c37eca8d7c176a6538d3f6aa4734a528d6ddbba6c06591548b0afd98e652d

SHA512
aa174e34ffda63187e09f267a6d4527a4959e3b0796175eb7f0f8cabbaf9b6b2e57e1e7f808b72c863836f87ced0303522b3612c0933ee494b3badf71839661e

Download Submit
C:\Program Files\McAfee\Temp2978750519\downloadscan.cab
Filesize
2.1MB

MD5
071b5d93a7dffff37eb2767d4b634919

SHA1
cc4c4990f63f0c19542e3d273929e1298526a797

SHA256
ad6a1b3fd003c9768821677c03a85e393545d65f24a375db8ce75a5b7917ccf3

SHA512
01fefb8e8422acb1ab954623048d50b30d22dcabfc2b5521cdb8312ae8ae82d6bf94a11c538a51fd92e69f95b5fc2021bac385e90d6bf151cef5610096b1cd7f

Download Submit
C:\Program Files\McAfee\Temp2978750519\eventmanager.cab
Filesize
1.4MB

MD5
73f45024d9d2924571af30d1dfe69214

SHA1
c80dfd09bfab8170f6127b1b88d631fd8d6fdc0e

SHA256
873ba52092a4f6a21ed79706d50eb7060ca800901c7bdf193ab026c6de93d428

SHA512
2c67029503c83b0cfa2ae7a900c124ba28f96a0ba4b952c7eac101a110b82a3db79317506ee72c8ebf9a191c30f8e9a385c17c5b2f1dce70828caa51dc49de0e

Download Submit
C:\Program Files\McAfee\Temp2978750519\installer.exe
Filesize
2.3MB

MD5
c6de8bfd9617b5e6b9cbb76c5b908a36

SHA1
77883bd93e6c2765c6e81029ed9be3ca94bd2ad1

SHA256
08a6eccb174aa8785e479d271579a1ce1472bfaaaec7816f4f9300adb9ac248e

SHA512
162a75148bdb44af8e9519dcd6951d56fc3e11028d4aa22c0efa5e2177037f5814285756594496674c28b14e8702df7651b5781f00f681cfb6fd13fe2b300400

Download Submit
C:\Program Files\McAfee\Temp2978750519\installer.exe
Filesize
2.3MB

MD5
c6de8bfd9617b5e6b9cbb76c5b908a36

SHA1
77883bd93e6c2765c6e81029ed9be3ca94bd2ad1

SHA256
08a6eccb174aa8785e479d271579a1ce1472bfaaaec7816f4f9300adb9ac248e

SHA512
162a75148bdb44af8e9519dcd6951d56fc3e11028d4aa22c0efa5e2177037f5814285756594496674c28b14e8702df7651b5781f00f681cfb6fd13fe2b300400

Download Submit
C:\Program Files\McAfee\Temp2978750519\l10n.cab
Filesize
253KB

MD5
ed7cd54edf61756bfc4edab6ceadc976

SHA1
d62e8e1d980beda3766c477e52fb97afbb55a547

SHA256
2ab5f8d97f7681d6412b9fff064289a62a4bb53f034d261dc4f9b85a1b645059

SHA512
b89f301750c770d74ea7effb8c9cb90e0d7adcf1942274ebb2d1ebbd95dc138bc56ef849ed1b55657eaf7eb73651a4b849fad6ed895c06942621cce957618aa8

Download Submit
C:\Program Files\McAfee\Temp2978750519\logicmodule.cab
Filesize
1.4MB

MD5
6dd2fb142006ad8bf25a6947d1373b2b

SHA1
d2560e72ad84b3ffdb7aeeb645ee5f6bf2355819

SHA256
7402780254ac19cbcd61396db7a705bd0ef999c2db21f61b6cc420b46d76de0e

SHA512
f97a367d1d0aa1cdad9f3b6b55f4a038cf05d1910346853745abdfbad5d541191ff9e2da45ab193626268e30b429aa5f184ec8119d6a1ae6523007acb8a1dcaf

Download Submit
C:\Program Files\McAfee\Temp2978750519\logicscripts.cab
Filesize
52KB

MD5
cb703e2d5f233d5653acb4e4a5a558ac

SHA1
b5354d49262665e4e7969dbbd5876d681a300e5a

SHA256
77077da345b09a0f2d86569b58cde1505588ebedb74e601c7ca4d3374e3599fe

SHA512
29a9b48d1ea7ba7f45d198931cfb0a6e618a52b2c72b77b98dd43abc5b3b62a7ec5057637c4bfeeca33b3ecdf397fac82cd7fc70996046685990d9a313f41cbe

Download Submit
C:\Program Files\McAfee\Temp2978750519\lookupmanager.cab
Filesize
502KB

MD5
5f090ded01d0bc97b87cb316589f7a47

SHA1
a8b260b4a39b4e55a8115e9d7f48b6495dd7dfbd

SHA256
bb5318dd5bdcaf94c059aeca1286389ace5302202357f4418d5f349e03ebb515

SHA512
248998802f274eb092d8ee365ab1ca21430284b57042ef5cb320f5cef4a46bee75cbd08f8c8d32b72f8e39fd5d67d78f819a18e28aab1fa1f4e6d41a7248d15c

Download Submit
C:\Program Files\McAfee\Temp2978750519\mfw-mwb.cab
Filesize
31KB

MD5
1f96c859ca01549305afc6b8515c2f2e

SHA1
e78e117d4c1547c472a1a16d6d5d967f5dd3ac3e

SHA256
d31ef95b405073a7319eccc04ad07fb78c59a3686d7124c65403aef4c33a6c45

SHA512
5cb7228e8e920489e3b1c8a17e4d933a704b130f933ff748200d4c788c0f382444f39f81c2da66aaa1a8fd00e833717b2eeb6c04f1da91c4aa92d1296ba594bf

Download Submit
C:\Program Files\McAfee\Temp2978750519\mfw-nps.cab
Filesize
33KB

MD5
c0fefa390eca8e15b8d6f7cebb15517a

SHA1
c028f27b3b0aa78c8ec6f2b8ecb48f22c82abddf

SHA256
43fea966f8f44852219a1b47f7da7940edd1a4a4f34817cdee364e98f3bc9d01

SHA512
14045baff357d28ee4b1ad7c195388268817ade849f836e7766f90b38face7813a444b8e798c47bb9898f7ae25e5441fa76ebc67617c4865412d573a7c751269

Download Submit
C:\Program Files\McAfee\Temp2978750519\mfw-webadvisor.cab
Filesize
741KB

MD5
03d5a5b2ff4942a12961c54ac603804b

SHA1
548fb05c175c43b227066bdc7cd7716fe02b52c6

SHA256
cb4d7ce878f8643c780841a58281a9e91cfdb989ee1cd8fb120d7c4dae8e24ba

SHA512
7af94ad90119f1c76ceb8d62336198595f896b2c4f4da469ea246986bea1e36e64035cb5a65e1e31db6b68d9b99348a2207e7082793efa8bdfa43e30734eee23

Download Submit
C:\Program Files\McAfee\Temp2978750519\mfw.cab
Filesize
309KB

MD5
d30a174a1cdfa635e0b582aa6fb753b6

SHA1
1574a5ba48873b555edafa26ffcc085682b7bb7e

SHA256
0e95874c6cd67292d56f481e6ad6f58714514884f52ba5e2ce23eda5f7752ac0

SHA512
6d0b49dc4e2a89180ffde343b7ca7b3e986daa119d6d641aeace456ef5c2c8c59bee59ac1fbad3910af588753090b1a45e5374bfea78480c6dabee57957a7f10

Download Submit
C:\Program Files\McAfee\Temp2978750519\resourcedll.cab
Filesize
52KB

MD5
313ebe3b4eee0ef05835cb152ce06cc4

SHA1
92ecb331c14ce733ce91a8700b46a96595953df9

SHA256
72193116f16aa7c00184910d9bf187731cb555408b7ce6b7f4f5d506d5e55277

SHA512
6006f3cff51c3fcd55b99bbde7c0c5bb5a61b42c619210a07795d9fdd1964f31bcd7e611645b95ff703aa9982c7f5d11f46a9d55dcd12d2e6866b1d3138cf30b

Download Submit
C:\Program Files\McAfee\Temp2978750519\servicehost.cab
Filesize
297KB

MD5
415431dd880e446bc2f463ca31744a6d

SHA1
7e77895e589ada0d6ad93ad56bad058f8a2cb7f3

SHA256
6a07967fbe421e0db983d77e8decbf15e36b6f789947b24235d7adef632f771d

SHA512
e3bcf33c44fb717ac22395549ae1d00dbec66b9664739ff3bd02a7929014d3a41c756496e8e408787d4d64ef89e4b79e3ce947ac690edd933d5a4849e6d18fdf

Download Submit
C:\Program Files\McAfee\Temp2978750519\settingmanager.cab
Filesize
784KB

MD5
2237de2fe1172bc432ae0bcff6670da8

SHA1
459ffc44ffacd0ed984d4f725c4f56768cd45ccb

SHA256
ee89f0924a0bcd7d96695c23e0e8087c2f8ce40274834d33ff8802445ea9474b

SHA512
d865c25d8cd4309d1498fd1242d99d473de9d6df48ad8da16a2bfcffc3b24a505d7f340b18e00bb6955565af3fc46db77c3b9f25e6bf8f1793898058fc6fbb44

Download Submit
C:\Program Files\McAfee\Temp2978750519\taskmanager.cab
Filesize
1.2MB

MD5
46580f3846a45678bf282c1b68b15415

SHA1
091fa49c79ddb13c15fa71df358b66207ec315e4

SHA256
7df502bf08b6397e8d3f5cdb2f276a0b26c8b440fd9ca6ae72674eb4dd3d9174

SHA512
bb79e17ec3f241f49bcb8b49bb7e9d21a8d731ec599c083a69e2ca58762c3f1b8e8dbd31b1692b81c6ad6428237c2d54c10f54ea34918b181c718ea77311fd09

Download Submit
C:\Program Files\McAfee\Temp2978750519\telemetry.cab
Filesize
81KB

MD5
e8a55c0acba9cd3c21dd82bab0918237

SHA1
90bf7a00e0ed3c5f83e2b4c9fcdfac605c8b0704

SHA256
3e850a76b0576465eb66310b4043e3cc2b0106f271502e281b78b8736d23264d

SHA512
da128836d8848214812178185ba7cc4cc704b4eecede0f33363d4c57eaf0a18081ca826bf76e09e175dac5176a7804b6577090b938253db484efa745c665b050

Download Submit
C:\Program Files\McAfee\Temp2978750519\uihost.cab
Filesize
293KB

MD5
d9c6459aa8041a2073ff3f6f8b4803dd

SHA1
8b503d8bdfea209b48507d7816c7f7fff2247b42

SHA256
e02729a1ae5c473a0bd567abc00bfcee9de1a7c1572a2e408d988abe07cb0a91

SHA512
39ad1cc15b32a912b89137b1e9d233c0ba8dc6cec3d653e0d25b87cc027fab4ed32d8acf59504f71066c9b0a719a5a55af5d517bec61497558a4868dc6799043

Download Submit
C:\Program Files\McAfee\Temp2978750519\uimanager.cab
Filesize
1.6MB

MD5
7c224bbe753c90f1a7206e46f72d3602

SHA1
8669845cbc60dc87371af64a779991a8ae229f84

SHA256
655d19d44b54d8b58122539838e2d5ea5f91ed571fab079a0fe4a3abe7441b38

SHA512
c559fd4a47a9a9edc1782d8ff5d266b63ef974e16d106626ecd5a3b1415316b2497b682bc7d5229bfe4a294eb4d4d31f0ca7622350a890e9c398c46cf40a0cc9

Download Submit
C:\Program Files\McAfee\Temp2978750519\uninstaller.cab
Filesize
870KB

MD5
96e99dc9fde617948a06b4d0655c8b48

SHA1
2f53e99b44a9b1ca3ad9f5edce4447b4b8c02935

SHA256
47b993b5a2024ba5b04df16cbb474f338f5754a173a31071d0a1c57b00c9a374

SHA512
5562ebb8f0e086b333528e07ce7b49314e2cdeed45e42ecefbc93eae2b1897feb08279ff4524325af77f9e249f3db820a7936b95425e42238a5393fcd0bac21d

Download Submit
C:\Program Files\McAfee\Temp2978750519\updater.cab
Filesize
840KB

MD5
77b956864704fbf14147792b54a18975

SHA1
16406240108165ffa769a4f74173aabe4ccdbe4b

SHA256
ea46cc1f3ab232fc1fd315a6f7ce8acf0c0bd660ac6ab629022a3c13f031c0fe

SHA512
fbabd2e582500c4100d2011625eda901f37706071818150cf53d3324562c6305c6fdc82ba35166a40f7c51cba8680a57ce1f9a4205a6993329b542e0d479b1f4

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt
Filesize
302B

MD5
026857a327336b5a40afd2dc1a34b428

SHA1
997b4c809994dc8a78dc89ca6e0af525890cf18a

SHA256
27ee073698a9c5238551b3ca887678b70e67e1d852d86b2027373e5d0e51d83b

SHA512
3b6e2774b6f31aec6ff420dce2a94c81f7dfb325dd3dc55a17c053c72761fc015a4e20d90c10871e25e440f8ae461686a39b6a7c1c702c82d9241559e52d4a1c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
Filesize
26.5MB

MD5
71e2f49b811292530cde0ec58f3192b9

SHA1
5b3efbc3c30a9292b6c435d6709cfceacc6c18e7

SHA256
37452c57e26e5e0706f1dfdb3976e78972157717c1856c14eb4a0c06dcc07b30

SHA512
9fdf4dfe2258ed593f39a7365d3f1ee4e248f96115b56f308c1e76f13e0eeb47d9a8a0232ad9f32e56254a494c245cb319bb84de94f239fa86ea42ff18f88b54

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.2MB

MD5
28e464a5b7a6866a7370e7e45798356b

SHA1
3f89ea6ef255d9b1173818b9e93d61a378a855df

SHA256
31d538c7e6bb09457307fc84b0d7d2216f5a2a57d217b49f99ca75bdc6207283

SHA512
a582c2df74f2a97b17e6004831a1478f11b47a2105e558b57732a11d74edb6791dcf7a90e60a9061a554c35c866dbacbaabba11cc37b1fdf38d33d6f27963047

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.2MB

MD5
28e464a5b7a6866a7370e7e45798356b

SHA1
3f89ea6ef255d9b1173818b9e93d61a378a855df

SHA256
31d538c7e6bb09457307fc84b0d7d2216f5a2a57d217b49f99ca75bdc6207283

SHA512
a582c2df74f2a97b17e6004831a1478f11b47a2105e558b57732a11d74edb6791dcf7a90e60a9061a554c35c866dbacbaabba11cc37b1fdf38d33d6f27963047

Download Submit
C:\Users\Admin\AppData\Local\Temp\0vcdazvv.exe
Filesize
1.5MB

MD5
6f607020e600135a9d4122267df868bf

SHA1
6b8b2bb5d2afccb7efb2e3f8d02c816532665105

SHA256
1164fcc2f8731b5941128fdbf25d1804e667e32fe4862e10347d6010a2e0a487

SHA512
b1044ba839bf2086ccc62fe7c441ed0ed68ec18cabd21db067867d642661d269ce828c20c9c591ef0abf15775b2ceb3f4260763833b8b1fe3203d243292b638e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0vcdazvv.exe
Filesize
1.5MB

MD5
6f607020e600135a9d4122267df868bf

SHA1
6b8b2bb5d2afccb7efb2e3f8d02c816532665105

SHA256
1164fcc2f8731b5941128fdbf25d1804e667e32fe4862e10347d6010a2e0a487

SHA512
b1044ba839bf2086ccc62fe7c441ed0ed68ec18cabd21db067867d642661d269ce828c20c9c591ef0abf15775b2ceb3f4260763833b8b1fe3203d243292b638e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe
Filesize
129.7MB

MD5
e47e4ae0a5dd79e13cafb5d1e3fe1f8c

SHA1
f9620b3efdeee872b5bc8508ad3c0b083b6b502d

SHA256
f772fdb7fdca23df57f025d048547889e0a98b4333546e4d63f254f61321eacb

SHA512
e2127215d87ef5dd334bdaaea848f618f363cba52b8cb5284a04d4ac82e31204d9bc62e74dd484b2b660ecaced37d67b1075760b968d605a93d602d088198605

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\bitlord-2.4-win32-silent-setup-ver358.exe
Filesize
129.7MB

MD5
e47e4ae0a5dd79e13cafb5d1e3fe1f8c

SHA1
f9620b3efdeee872b5bc8508ad3c0b083b6b502d

SHA256
f772fdb7fdca23df57f025d048547889e0a98b4333546e4d63f254f61321eacb

SHA512
e2127215d87ef5dd334bdaaea848f618f363cba52b8cb5284a04d4ac82e31204d9bc62e74dd484b2b660ecaced37d67b1075760b968d605a93d602d088198605

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod0_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod0_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod1.exe
Filesize
44KB

MD5
f58308fd49a9112de80fc2180ccaf8e5

SHA1
b70b3111259b3328c1e06e9cebddc25abd40b61d

SHA256
4d1e60c79a75694cc0c85dc78b39fa3d7389f05cb27fd6a7f328a812193708d5

SHA512
ed7987689e9498705294be8c6e47ee7260948815f25171651cb8b898318b6b9de46a9e16ab316d2d770a78732a549f0149b7331415ef7a9844eb4d954d12956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\prod1.exe
Filesize
44KB

MD5
f58308fd49a9112de80fc2180ccaf8e5

SHA1
b70b3111259b3328c1e06e9cebddc25abd40b61d

SHA256
4d1e60c79a75694cc0c85dc78b39fa3d7389f05cb27fd6a7f328a812193708d5

SHA512
ed7987689e9498705294be8c6e47ee7260948815f25171651cb8b898318b6b9de46a9e16ab316d2d770a78732a549f0149b7331415ef7a9844eb4d954d12956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8MQSA.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T2D46.tmp\BitlordSetup.tmp
Filesize
3.0MB

MD5
c2e444a0e6c3fa2fd0c7cb021e625d55

SHA1
d8f392f04c40628c8adfdc2ac10836e5f5eacb3c

SHA256
f624d9e4ff1dd05712752741d419008808a8c1b654e7e897e4b6167417da32bf

SHA512
e03d6cb253356deba3aa93bbcd62412dfb7fc302ab90d818982ac8725efb37d229f9d60a8d6a24cdd5ecbe9f3a9a865c3afb6ec7fa2d091f47f3b7f14db5982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\RAVEndPointProtection-installer.exe
Filesize
528KB

MD5
18bf9a6aaee2c4c35e4c35c4c28a54d0

SHA1
0622648073c45bb171b2e0b9d7ef6dffe3d643eb

SHA256
3bf349426c78ae9d395c9194d60d1158befad73b46a05d6dc0018774e257e3ee

SHA512
97fcf5194165d3da0d6be723a39c3d996723aebbe128128b89fb5e56f47017573844649039a26fb2214660aa44548ee7638d2f70c1c4e1998dae083925b88340

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\RAVEndPointProtection-installer.exe
Filesize
528KB

MD5
18bf9a6aaee2c4c35e4c35c4c28a54d0

SHA1
0622648073c45bb171b2e0b9d7ef6dffe3d643eb

SHA256
3bf349426c78ae9d395c9194d60d1158befad73b46a05d6dc0018774e257e3ee

SHA512
97fcf5194165d3da0d6be723a39c3d996723aebbe128128b89fb5e56f47017573844649039a26fb2214660aa44548ee7638d2f70c1c4e1998dae083925b88340

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\rsAtom.dll
Filesize
183KB

MD5
ecb88004da4968487c3dcdb25fe7f57e

SHA1
5e93b366fa5572d364812ab1bd58e4de4e609189

SHA256
317a5fb24c22592ce35731eb9669c72993084d00f245672112f73174f9d5868d

SHA512
a78db3bc382a2eeda1f5fdaba63eb8fb423bbb1c75cbfe6c9c269d44f1cdb588494511647c2ea511773c2811fbcadb2fe127c9eabbc517b4cf3c0ec35952533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\rsJSON.dll
Filesize
227KB

MD5
95279ce2eba7d42a5a365d0830afab02

SHA1
93d56fb27a57818d0a2e66f65865ad287b269f2d

SHA256
d57c85d40f0ea20de46196c58df69551cc5c7291367d5f3849dcd053bd4f3569

SHA512
091ed0c9781f40eb1fc9c9bf55c924414174a1ce6baa09dec69e749872ca56fcbeeac0c69fea3477ef673144cc1d7637c7f0b8197ad6fc9e23072e1f8a80224d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\rsLogger.dll
Filesize
185KB

MD5
ecdfb913b5ac16a1b05efb4fa9ccd9a9

SHA1
6a27d6991fb1063c86868ffba6deb31867c5f1d4

SHA256
be03f866bb2bb9ea01d2e7671c9dd82fe2a2453fd7621327e70969db35617f50

SHA512
c604a896e597272a0edbed9cf281910635439e9662732137b7c150df8d097ed94f55cf4e8f4f2ae0c4816b37f897692f3e7c34acb31f8699bc9ab21ea0ec7511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\rsStubLib.dll
Filesize
207KB

MD5
44b0cb09cd849e07c101976a94dd3cd3

SHA1
c986d848d0a1006f82b54f37742fe1524fe12a24

SHA256
767e7db8a18c754ba6b896b8354aa09a2ed13c3d2e6543b77beb65224d641d9c

SHA512
3ef994f27ba137bc503d04f409f00ec085ea4a15e8026b85944814602cd37e01506bec8dd735e8bb884fa83cc4856160d903fefbdb73e52ba42d513af2319aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbEE78.tmp\rsSyncSvc.exe
Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk47D8.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk47D8.tmp\SimpleFC.dll
Filesize
175KB

MD5
941a7b4dc105c3487d2b2961dc6ccb01

SHA1
ac71c5b759cabd78213748329909eaee60810d12

SHA256
7274fe736fe36cdc8343b04fea6ff598ce384ead99ea94e4b47d4d329037331d

SHA512
40b2067121366254a6ff048e05767c337ea3f811122f97a5ce283502b6b6bba3eb82b2637115e65772c8b32c6c1a8cf9f991b06731bf7e71ffe5a6cf026ed5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk47D8.tmp\SimpleFC.dll
Filesize
175KB

MD5
941a7b4dc105c3487d2b2961dc6ccb01

SHA1
ac71c5b759cabd78213748329909eaee60810d12

SHA256
7274fe736fe36cdc8343b04fea6ff598ce384ead99ea94e4b47d4d329037331d

SHA512
40b2067121366254a6ff048e05767c337ea3f811122f97a5ce283502b6b6bba3eb82b2637115e65772c8b32c6c1a8cf9f991b06731bf7e71ffe5a6cf026ed5e6

Download Submit
C:\Windows\Temp\{4E5F90B2-FDE8-4AB6-8DCF-CDEE94305880}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{79CBB2EA-2E33-449F-81BA-71F34E4EFB45}\.cr\vcredist_msvc2019_x86.exe
Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
C:\Windows\Temp\{79CBB2EA-2E33-449F-81BA-71F34E4EFB45}\.cr\vcredist_msvc2019_x86.exe
Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
C:\Windows\Temp\{906FC3B6-9E1F-447A-A54C-ABF9F9B3D7EE}\.cr\vcredist_msvc2019_x64.exe
Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{906FC3B6-9E1F-447A-A54C-ABF9F9B3D7EE}\.cr\vcredist_msvc2019_x64.exe
Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{E0529B85-6081-4480-83F1-2344794176D7}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/440-339-0x0000000000000000-mapping.dmp

Download
memory/540-349-0x0000000000000000-mapping.dmp

Download
memory/1004-315-0x0000000000000000-mapping.dmp

Download
memory/1152-234-0x0000000000000000-mapping.dmp

Download
memory/1348-319-0x0000000000000000-mapping.dmp

Download
memory/1440-317-0x0000000000000000-mapping.dmp

Download
memory/1460-377-0x000001D5752E0000-0x000001D57545C000-memory.dmp

Filesize
1.5MB

Download
memory/1460-376-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/1460-397-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/1460-374-0x000001D5754A0000-0x000001D575806000-memory.dmp

Filesize
3.4MB

Download
memory/1460-378-0x000001D575150000-0x000001D57516A000-memory.dmp

Filesize
104KB

Download
memory/1460-379-0x000001D5751A0000-0x000001D5751C2000-memory.dmp

Filesize
136KB

Download
memory/1512-402-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/1512-399-0x0000000000000000-mapping.dmp

Download
memory/1512-400-0x00000170A6AD0000-0x00000170A6B08000-memory.dmp

Filesize
224KB

Download
memory/1564-416-0x0000000000000000-mapping.dmp

Download
memory/1684-366-0x0000000000000000-mapping.dmp

Download
memory/1764-162-0x0000000003180000-0x00000000031B0000-memory.dmp

Filesize
192KB

Download
memory/1764-142-0x0000000000000000-mapping.dmp

Download
memory/1804-463-0x0000000000000000-mapping.dmp

Download
memory/1804-197-0x0000000000000000-mapping.dmp

Download
memory/1820-235-0x0000000000000000-mapping.dmp

Download
memory/1824-359-0x0000000000000000-mapping.dmp

Download
memory/1988-267-0x0000000000000000-mapping.dmp

Download
memory/2192-146-0x0000000000000000-mapping.dmp

Download
memory/2216-335-0x0000000000000000-mapping.dmp

Download
memory/2264-346-0x0000000000000000-mapping.dmp

Download
memory/2392-342-0x0000000000000000-mapping.dmp

Download
memory/2396-419-0x0000000000000000-mapping.dmp

Download
memory/2396-420-0x000001A2337A0000-0x000001A2337D6000-memory.dmp

Filesize
216KB

Download
memory/2456-457-0x0000000000000000-mapping.dmp

Download
memory/2460-336-0x0000000000000000-mapping.dmp

Download
memory/3024-169-0x000001F07F610000-0x000001F07F618000-memory.dmp

Filesize
32KB

Download
memory/3024-171-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-166-0x0000000000000000-mapping.dmp

Download
memory/3024-230-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/3024-170-0x000001F01A600000-0x000001F01AB28000-memory.dmp

Filesize
5.2MB

Download
memory/3032-192-0x0000000000000000-mapping.dmp

Download
memory/3380-380-0x0000000000000000-mapping.dmp

Download
memory/3540-273-0x0000000000000000-mapping.dmp

Download
memory/3588-163-0x0000000000000000-mapping.dmp

Download
memory/3628-314-0x0000000000000000-mapping.dmp

Download
memory/3660-369-0x000001C6A86E0000-0x000001C6A870E000-memory.dmp

Filesize
184KB

Download
memory/3660-371-0x000001C6AA240000-0x000001C6AA252000-memory.dmp

Filesize
72KB

Download
memory/3660-368-0x000001C6A86E0000-0x000001C6A870E000-memory.dmp

Filesize
184KB

Download
memory/3660-370-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/3660-373-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/3660-372-0x000001C6AA2A0000-0x000001C6AA2DC000-memory.dmp

Filesize
240KB

Download
memory/3660-367-0x0000000000000000-mapping.dmp

Download
memory/3740-251-0x0000000000000000-mapping.dmp

Download
memory/3788-181-0x0000000000000000-mapping.dmp

Download
memory/3804-333-0x0000000000000000-mapping.dmp

Download
memory/3804-141-0x0000000000000000-mapping.dmp

Download
memory/3820-318-0x0000000000000000-mapping.dmp

Download
memory/3888-334-0x0000000000000000-mapping.dmp

Download
memory/4012-149-0x0000000000000000-mapping.dmp

Download
memory/4324-283-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-231-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-266-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-276-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-277-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-274-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-275-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-272-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-278-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-270-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-269-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-268-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-265-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-264-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-263-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-262-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-246-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-244-0x00007FF6B3A90000-0x00007FF6B3AA0000-memory.dmp

Filesize
64KB

Download
memory/4324-243-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-242-0x00007FF6596F0000-0x00007FF659700000-memory.dmp

Filesize
64KB

Download
memory/4324-240-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-239-0x00007FF6B3A90000-0x00007FF6B3AA0000-memory.dmp

Filesize
64KB

Download
memory/4324-238-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-236-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-247-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-253-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-279-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-199-0x0000000000000000-mapping.dmp

Download
memory/4324-227-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-282-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-258-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-284-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-287-0x00007FF6596F0000-0x00007FF659700000-memory.dmp

Filesize
64KB

Download
memory/4324-289-0x00007FF6596F0000-0x00007FF659700000-memory.dmp

Filesize
64KB

Download
memory/4324-291-0x00007FF6B3A90000-0x00007FF6B3AA0000-memory.dmp

Filesize
64KB

Download
memory/4324-292-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-290-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-288-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-286-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-285-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-261-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-226-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-228-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-260-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-229-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-232-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-204-0x00007FF6BC880000-0x00007FF6BC890000-memory.dmp

Filesize
64KB

Download
memory/4324-271-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-233-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-259-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-254-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-257-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-256-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-237-0x00007FF6596F0000-0x00007FF659700000-memory.dmp

Filesize
64KB

Download
memory/4324-241-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-245-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4324-249-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-255-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-250-0x00007FF671F00000-0x00007FF671F10000-memory.dmp

Filesize
64KB

Download
memory/4324-252-0x00007FF6BDCC0000-0x00007FF6BDCD0000-memory.dmp

Filesize
64KB

Download
memory/4324-248-0x00007FF6A61C0000-0x00007FF6A61D0000-memory.dmp

Filesize
64KB

Download
memory/4396-338-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4396-352-0x0000000000000000-mapping.dmp

Download
memory/4396-132-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4396-136-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4432-351-0x0000000000000000-mapping.dmp

Download
memory/4460-396-0x0000000000000000-mapping.dmp

Download
memory/4536-406-0x000002243A900000-0x000002243A926000-memory.dmp

Filesize
152KB

Download
memory/4536-404-0x000002243A890000-0x000002243A8F6000-memory.dmp

Filesize
408KB

Download
memory/4536-411-0x000002243C570000-0x000002243C7F0000-memory.dmp

Filesize
2.5MB

Download
memory/4536-412-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4536-413-0x000002243B4D0000-0x000002243B4F4000-memory.dmp

Filesize
144KB

Download
memory/4536-414-0x000002243C2F0000-0x000002243C314000-memory.dmp

Filesize
144KB

Download
memory/4536-407-0x000002243AF10000-0x000002243AF38000-memory.dmp

Filesize
160KB

Download
memory/4536-415-0x000002243C320000-0x000002243C34E000-memory.dmp

Filesize
184KB

Download
memory/4536-409-0x000002243B3F0000-0x000002243B456000-memory.dmp

Filesize
408KB

Download
memory/4536-394-0x000002243A6C0000-0x000002243A6F6000-memory.dmp

Filesize
216KB

Download
memory/4536-408-0x000002243AFB0000-0x000002243B01C000-memory.dmp

Filesize
432KB

Download
memory/4536-417-0x000002243C390000-0x000002243C3C8000-memory.dmp

Filesize
224KB

Download
memory/4536-405-0x000002243AED0000-0x000002243AF0A000-memory.dmp

Filesize
232KB

Download
memory/4536-410-0x000002243B460000-0x000002243B49A000-memory.dmp

Filesize
232KB

Download
memory/4536-403-0x000002243B160000-0x000002243B3E6000-memory.dmp

Filesize
2.5MB

Download
memory/4536-401-0x000002243A7C0000-0x000002243A81E000-memory.dmp

Filesize
376KB

Download
memory/4536-421-0x000002243C3D0000-0x000002243C3F4000-memory.dmp

Filesize
144KB

Download
memory/4536-418-0x000002243CA40000-0x000002243CC8C000-memory.dmp

Filesize
2.3MB

Download
memory/4536-398-0x000002243A730000-0x000002243A75E000-memory.dmp

Filesize
184KB

Download
memory/4536-393-0x000002243A680000-0x000002243A6B8000-memory.dmp

Filesize
224KB

Download
memory/4536-389-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4536-390-0x000002243A090000-0x000002243A0B4000-memory.dmp

Filesize
144KB

Download
memory/4536-391-0x000002243A0C0000-0x000002243A0F4000-memory.dmp

Filesize
208KB

Download
memory/4536-392-0x000002243A640000-0x000002243A672000-memory.dmp

Filesize
200KB

Download
memory/4564-156-0x0000000000000000-mapping.dmp

Download
memory/4588-350-0x0000000000000000-mapping.dmp

Download
memory/4616-330-0x00000222D4DB0000-0x00000222D4E26000-memory.dmp

Filesize
472KB

Download
memory/4616-186-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4616-190-0x00000222B9E80000-0x00000222B9EAE000-memory.dmp

Filesize
184KB

Download
memory/4616-188-0x00000222BB800000-0x00000222BB838000-memory.dmp

Filesize
224KB

Download
memory/4616-395-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4616-185-0x00000222B9E00000-0x00000222B9E2E000-memory.dmp

Filesize
184KB

Download
memory/4616-281-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4616-180-0x00000222B9DC0000-0x00000222B9DF4000-memory.dmp

Filesize
208KB

Download
memory/4616-178-0x00000222B99E0000-0x00000222B9A62000-memory.dmp

Filesize
520KB

Download
memory/4616-175-0x0000000000000000-mapping.dmp

Download
memory/4616-331-0x00000222BB940000-0x00000222BB95E000-memory.dmp

Filesize
120KB

Download
memory/4672-280-0x0000000000000000-mapping.dmp

Download
memory/4764-460-0x0000000000000000-mapping.dmp

Download
memory/4824-384-0x0000020E22200000-0x0000020E22254000-memory.dmp

Filesize
336KB

Download
memory/4824-388-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4824-387-0x0000020E23290000-0x0000020E234BC000-memory.dmp

Filesize
2.2MB

Download
memory/4824-386-0x0000020E07D90000-0x0000020E07DEA000-memory.dmp

Filesize
360KB

Download
memory/4824-385-0x0000020E09930000-0x0000020E09956000-memory.dmp

Filesize
152KB

Download
memory/4824-381-0x0000000000000000-mapping.dmp

Download
memory/4824-382-0x0000020E07D90000-0x0000020E07DEA000-memory.dmp

Filesize
360KB

Download
memory/4824-383-0x00007FFB85490000-0x00007FFB85F51000-memory.dmp

Filesize
10.8MB

Download
memory/4860-140-0x0000000004D30000-0x0000000004D3F000-memory.dmp

Filesize
60KB

Download
memory/4860-134-0x0000000000000000-mapping.dmp

Download
memory/4888-153-0x0000000000000000-mapping.dmp

Download
memory/4940-337-0x0000000000000000-mapping.dmp

Download
memory/5060-340-0x0000000000000000-mapping.dmp

Download
memory/5072-325-0x0000000000000000-mapping.dmp

Download
memory/5072-332-0x000002410E290000-0x000002410F290000-memory.dmp

Filesize
16.0MB

Download
memory/5072-375-0x000002410E290000-0x000002410F290000-memory.dmp

Filesize
16.0MB

Download
memory/5116-172-0x0000000000000000-mapping.dmp

Download
memory/5140-472-0x0000000000000000-mapping.dmp

Download
memory/5188-475-0x0000000000000000-mapping.dmp

Download
memory/5216-478-0x0000000000000000-mapping.dmp

Download