02640e1dd5e7e7ea7a3b89ed9b7691ae934782013cb21b07905dc3b63782dd6a

Analysis

max time kernel
68s
max time network
136s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28/12/2022, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine74.exe
Size

3.1MB
MD5

eec95b987e4b10e3d1632d62b50b4b30
SHA1

d0d37058dc3f9e392ed00b284bbfd2b5ee66751d
SHA256

02640e1dd5e7e7ea7a3b89ed9b7691ae934782013cb21b07905dc3b63782dd6a
SHA512

49333a656a2cdc64cb9d441ef370d537300049134c4bd89ce1463afad7e171bdf4c03f9fc96c3f019aa87baf5b876baed239f7ff5979ba0e39db0f311facbfc9
SSDEEP

98304:eSiD4opH4opH4opuE9vBuqC0yGa/xlbLP/hy:yDBDBDlaJHbb0

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
1640	CheatEngine74.tmp
4344	saBSI.exe
5092	prod1.exe
3900	CheatEngine74.exe
4832	xk12rjll.exe
904	CheatEngine74.tmp
3168	RAVEndPointProtection-installer.exe
2096	saBSI.exe
752	rsSyncSvc.exe
4524	rsSyncSvc.exe
4604	_setup64.tmp
4884	installer.exe
4952	installer.exe
4984	Kernelmoduleunloader.exe
4264	windowsrepair.exe
5008	ServiceHost.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 10 IoCs

pid	Process
1640	CheatEngine74.tmp
1640	CheatEngine74.tmp
1640	CheatEngine74.tmp
2756	regsvr32.exe
3696	regsvr32.exe
3168	RAVEndPointProtection-installer.exe
5008	ServiceHost.exe
5008	ServiceHost.exe
5008	ServiceHost.exe
5008	ServiceHost.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4212	icacls.exe
4580	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\Temp2649851989\jslang\eula-ja-JP.txt	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\include\winapi\is-19H5K.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-core.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\downloadscan.cab	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\mfw-nps.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo2.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\jslang\eula-fr-FR.txt	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\is-H4HNR.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\searchannotations.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\browsernavigate.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\jslang\eula-sv-SE.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\jslang\eula-pl-PL.txt	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\win32\is-VP0RA.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\sendonping.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\toastchecktriggered.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wpssetting.luc	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\is-6F7Q0.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\Temp2649851989\jslang\wa-res-install-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fr-CA.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.0.7\locales\sw.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.0.7\resources\app.asar.sig	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp2649851989\jslang\wa-res-shared-ru-RU.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\win64\is-GHSOU.tmp	CheatEngine74.tmp
File created	C:\Program Files\Cheat Engine 7.4\include\is-1E21E.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-dialog-balloon.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\downloadscan.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\remapattributes.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\new-tab-toasts.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-FR.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-MOQ04.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\sequencenumber.luc	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.4\tcc32-32.dll	CheatEngine74.tmp
File created	C:\Program Files\McAfee\Temp2649851989\jslang\wa-res-install-cs-CZ.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\plugins\example-c\is-L7GPE.tmp	CheatEngine74.tmp
File created	C:\Program Files\Cheat Engine 7.4\include\sec_api\is-EF713.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-overlay.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-fr-CA.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.0.7\locales\id.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsscspid.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\domainnavigatedcounter.luc	installer.exe
File created	C:\Program Files\Cheat Engine 7.4\include\is-906K9.tmp	CheatEngine74.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-pt-BR.js	installer.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1504	sc.exe
3840	sc.exe
4144	sc.exe
5032	sc.exe
2136	sc.exe
3312	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine74.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine74.tmp

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.4\\Cheat Engine.exe,0"	CheatEngine74.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine74.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine74.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine74.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.4\\Cheat Engine.exe\" \"%1\""	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine74.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine74.tmp

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Runs net.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
4344	saBSI.exe
904	CheatEngine74.tmp
904	CheatEngine74.tmp
2096	saBSI.exe
2096	saBSI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	prod1.exe
Token: SeDebugPrivilege	3168	RAVEndPointProtection-installer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1640	CheatEngine74.tmp
904	CheatEngine74.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1640	2340	CheatEngine74.exe	66
PID 2340 wrote to memory of 1640	2340	CheatEngine74.exe	66
PID 2340 wrote to memory of 1640	2340	CheatEngine74.exe	66
PID 1640 wrote to memory of 4344	1640	CheatEngine74.tmp	67
PID 1640 wrote to memory of 4344	1640	CheatEngine74.tmp	67
PID 1640 wrote to memory of 4344	1640	CheatEngine74.tmp	67
PID 1640 wrote to memory of 5092	1640	CheatEngine74.tmp	68
PID 1640 wrote to memory of 5092	1640	CheatEngine74.tmp	68
PID 1640 wrote to memory of 3900	1640	CheatEngine74.tmp	69
PID 1640 wrote to memory of 3900	1640	CheatEngine74.tmp	69
PID 1640 wrote to memory of 3900	1640	CheatEngine74.tmp	69
PID 5092 wrote to memory of 4832	5092	prod1.exe	70
PID 5092 wrote to memory of 4832	5092	prod1.exe	70
PID 5092 wrote to memory of 4832	5092	prod1.exe	70
PID 3900 wrote to memory of 904	3900	CheatEngine74.exe	71
PID 3900 wrote to memory of 904	3900	CheatEngine74.exe	71
PID 3900 wrote to memory of 904	3900	CheatEngine74.exe	71
PID 4832 wrote to memory of 3168	4832	xk12rjll.exe	72
PID 4832 wrote to memory of 3168	4832	xk12rjll.exe	72
PID 4344 wrote to memory of 2096	4344	saBSI.exe	73
PID 4344 wrote to memory of 2096	4344	saBSI.exe	73
PID 4344 wrote to memory of 2096	4344	saBSI.exe	73
PID 904 wrote to memory of 5044	904	CheatEngine74.tmp	74
PID 904 wrote to memory of 5044	904	CheatEngine74.tmp	74
PID 5044 wrote to memory of 2056	5044	net.exe	76
PID 5044 wrote to memory of 2056	5044	net.exe	76
PID 904 wrote to memory of 2116	904	CheatEngine74.tmp	79
PID 904 wrote to memory of 2116	904	CheatEngine74.tmp	79
PID 2116 wrote to memory of 4632	2116	net.exe	80
PID 2116 wrote to memory of 4632	2116	net.exe	80
PID 904 wrote to memory of 3840	904	CheatEngine74.tmp	82
PID 904 wrote to memory of 3840	904	CheatEngine74.tmp	82
PID 3168 wrote to memory of 752	3168	RAVEndPointProtection-installer.exe	83
PID 3168 wrote to memory of 752	3168	RAVEndPointProtection-installer.exe	83
PID 904 wrote to memory of 4144	904	CheatEngine74.tmp	85
PID 904 wrote to memory of 4144	904	CheatEngine74.tmp	85
PID 904 wrote to memory of 4604	904	CheatEngine74.tmp	88
PID 904 wrote to memory of 4604	904	CheatEngine74.tmp	88
PID 904 wrote to memory of 4212	904	CheatEngine74.tmp	90
PID 904 wrote to memory of 4212	904	CheatEngine74.tmp	90
PID 2096 wrote to memory of 4884	2096	saBSI.exe	92
PID 2096 wrote to memory of 4884	2096	saBSI.exe	92
PID 4884 wrote to memory of 4952	4884	installer.exe	93
PID 4884 wrote to memory of 4952	4884	installer.exe	93
PID 4952 wrote to memory of 5032	4952	installer.exe	139
PID 4952 wrote to memory of 5032	4952	installer.exe	139
PID 4952 wrote to memory of 1400	4952	installer.exe	95
PID 4952 wrote to memory of 1400	4952	installer.exe	95
PID 4952 wrote to memory of 3312	4952	installer.exe	100
PID 4952 wrote to memory of 3312	4952	installer.exe	100
PID 4952 wrote to memory of 2136	4952	installer.exe	99
PID 4952 wrote to memory of 2136	4952	installer.exe	99
PID 904 wrote to memory of 4984	904	CheatEngine74.tmp	102
PID 904 wrote to memory of 4984	904	CheatEngine74.tmp	102
PID 904 wrote to memory of 4984	904	CheatEngine74.tmp	102
PID 1400 wrote to memory of 2756	1400	regsvr32.exe	101
PID 1400 wrote to memory of 2756	1400	regsvr32.exe	101
PID 1400 wrote to memory of 2756	1400	regsvr32.exe	101
PID 4952 wrote to memory of 3696	4952	installer.exe	103
PID 4952 wrote to memory of 3696	4952	installer.exe	103
PID 904 wrote to memory of 4264	904	CheatEngine74.tmp	104
PID 904 wrote to memory of 4264	904	CheatEngine74.tmp	104
PID 904 wrote to memory of 4264	904	CheatEngine74.tmp	104
PID 4952 wrote to memory of 3736	4952	installer.exe	107

C:\Users\Admin\AppData\Local\Temp\CheatEngine74.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\is-K9VE4.tmp\CheatEngine74.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K9VE4.tmp\CheatEngine74.tmp" /SL5="$60116,2333601,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine74.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod0_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
      "C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Program Files\McAfee\Temp2649851989\installer.exe
        
        "C:\Program Files\McAfee\Temp2649851989\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
        7⤵
        Launches sc.exe
        
        PID:5032
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
        7⤵
        Launches sc.exe
        
        PID:2136
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
        7⤵
        Launches sc.exe
        
        PID:3312
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        7⤵
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe start "McAfee WebAdvisor"
        7⤵
        Launches sc.exe
        
        PID:1504
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        7⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        8⤵
        
        PID:4224
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        7⤵
        
        PID:908
- - C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod1.exe
    "C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod1.exe" -ip:"dui=1adb157e-7186-4895-9c9e-46386703fc96&dit=20221228183220&is_silent=true&oc=ZB_RAV_Cross_Tri&p=cdc2&a=100&b=&se=true" -vp:"dui=1adb157e-7186-4895-9c9e-46386703fc96&dit=20221228183220&oip=26&ptl=7&dta=true&a=100" -dp:"dui=1adb157e-7186-4895-9c9e-46386703fc96&dit=20221228183220&a=100" -i -v -d
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\xk12rjll.exe
      "C:\Users\Admin\AppData\Local\Temp\xk12rjll.exe" /silent
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\xk12rjll.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        6⤵
        Executes dropped EXE
        
        PID:752
      - \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\ReasonCamFilter.inf
        6⤵
        
        PID:2616
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        
        PID:4996
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:2912
      - C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load ReasonCamFilter
        6⤵
        
        PID:968
      - \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        6⤵
        
        PID:4924
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        
        PID:4820
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:4056
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        6⤵
        
        PID:4728
      - C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        6⤵
        
        PID:5112
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        6⤵
        
        PID:4252
      - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        6⤵
        
        PID:4232
      - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        6⤵
        
        PID:3316
      - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        6⤵
        
        PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\ox4mqbqn.exe
      "C:\Users\Admin\AppData\Local\Temp\ox4mqbqn.exe" /silent
      4⤵
      PID:3876
    - - C:\Users\Admin\AppData\Local\Temp\nsr3BEC.tmp\RAVVPN-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsr3BEC.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\ox4mqbqn.exe" /silent
        5⤵
        
        PID:1120
      - C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i
        6⤵
        
        PID:3336
      - C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i
        6⤵
        
        PID:752
- - C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\CheatEngine74.exe
    "C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\CheatEngine74.exe" /VERYSILENT /ZBDIST
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\is-MQ1U3.tmp\CheatEngine74.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MQ1U3.tmp\CheatEngine74.tmp" /SL5="$20208,23492458,780800,C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\CheatEngine74.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        6⤵
        
        PID:2056
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        6⤵
        
        PID:4632
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        5⤵
        Launches sc.exe
        
        PID:3840
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        5⤵
        Launches sc.exe
        
        PID:4144
    - - C:\Users\Admin\AppData\Local\Temp\is-27PCN.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3B4
        5⤵
        Executes dropped EXE
        
        PID:4604
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.4" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:4212
    - - C:\Program Files\Cheat Engine 7.4\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.4\Kernelmoduleunloader.exe" /SETUP
        5⤵
        Executes dropped EXE
        
        PID:4984
    - - C:\Program Files\Cheat Engine 7.4\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.4\windowsrepair.exe" /s
        5⤵
        Executes dropped EXE
        
        PID:4264
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.4" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:4580
- - C:\Program Files\Cheat Engine 7.4\Cheat Engine.exe
    "C:\Program Files\Cheat Engine 7.4\Cheat Engine.exe"
    3⤵
    PID:4180
  - - C:\Program Files\Cheat Engine 7.4\cheatengine-x86_64.exe
      "C:\Program Files\Cheat Engine 7.4\cheatengine-x86_64.exe"
      4⤵
      PID:2064

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4524

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5008
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  PID:3848
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
    3⤵
    PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
    3⤵
    PID:2628

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:5032

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:4148

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:756
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  PID:4740
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  PID:4892
- - C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    PID:3680
  - - C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1672,i,10991223248297022323,17458973886012577800,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:3860
  - - C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2224 --field-trial-handle=1672,i,10991223248297022323,17458973886012577800,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:356
  - - C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.0.7\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2524 --field-trial-handle=1672,i,10991223248297022323,17458973886012577800,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:3036
  - - C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.0.7\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RAV Endpoint Protection" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.0.7\resources\app.asar" --enable-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3272 --field-trial-handle=1672,i,10991223248297022323,17458973886012577800,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:1848

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
PID:2624

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.4\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.4\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.4\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.4\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.4\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.4\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.4\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.4\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.4\vehdebug-i386.dll

Filesize
319KB

MD5
975965814c0a7ea194aeb1b0eeb7ec09

SHA1
d99e44da2016a48ceb5819330c7a57c3c8077841

SHA256
8f3ef35eb8e3ee61700868d0fc083155432ee0467da4c51d3b794dd7009dfd14

SHA512
02e7643594b3800c93eb7e991cb3dde70ca0d232a7e6b35c65b2f24d4bd8580d506e9f554411943b8a2354ad1e37b2e680a894f0080047c5319a64bfca221c9c

Download Submit
C:\Program Files\Cheat Engine 7.4\vehdebug-x86_64.dll

Filesize
406KB

MD5
2ffa8223b315687e5d30c7bef2100a71

SHA1
bf5d44fb44d5be2571e81000a6cbeb4844557e95

SHA256
8df1c44f2be15be95d83a975620c59f6a76a98e5343a08c15852a794859c4ffa

SHA512
587619b27d65fd7bd71c15ac59f1b73ef8a506dc478396169678035ab1dee485d56ea4cce1d52951bf71ab5865f1713d7f61952d460637830d5ea83ab303e33b

Download Submit
C:\Program Files\Cheat Engine 7.4\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.4\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\McAfee\Temp2649851989\analyticsmanager.cab

Filesize
1.9MB

MD5
d9ed32143b29f1984397547c0ec11186

SHA1
42f3f9a7de91a3e0d6ff6aa227b9d15f71a00216

SHA256
bd9ea533cc10d9915628194aa2360dededed4d46371eb4d4e6e8a23b5b23e82e

SHA512
135d3805689a8d13af3a5f0cb8d99ca0110a05e55c173242f24490af6ca284cac18a5e6a81be74848aa9006855bfcbb15470badf505775f5681dd61bea346f22

Download Submit
C:\Program Files\McAfee\Temp2649851989\analyticstelemetry.cab

Filesize
46KB

MD5
ecce29cf51add01c727908e9b613d0d8

SHA1
82ee27455c4b4f73ba0c506adbc7dd9a9c7d812f

SHA256
e162350e682c4dd2c7704c9bedaec14abee37b011cbd519271bf2d29a9e8effb

SHA512
7bb061e47ce0393c885ab74d0db3e78a681c24b0595039d4d40cca78b4a906ada29730d06cdb310330433a58c5a2f04bfddbb71381f9ce4b8ed1dbc2e86f7fdd

Download Submit
C:\Program Files\McAfee\Temp2649851989\browserhost.cab

Filesize
1.1MB

MD5
76f48416c6ca43d7cfb820f343fafa73

SHA1
6e4c1b2effda7b44a6515da619934ebc11b32dd2

SHA256
6d03577b4028046225e07072fef3d874d4056a8fd5b50efab6dc278ab5795784

SHA512
f78bdf1f00b8330b02fd24a02d02c9e894c790bb25c2b3401ccb5a871bb99a90135fc87b24533305994eb49eead0c038d7a37c381b6464d7cce98a355bb0a322

Download Submit
C:\Program Files\McAfee\Temp2649851989\browserplugin.cab

Filesize
4.9MB

MD5
012c7303407a5a430face5fc983696a6

SHA1
d6d636052d68ae227260e535e158183de9e5d47a

SHA256
c16c37eca8d7c176a6538d3f6aa4734a528d6ddbba6c06591548b0afd98e652d

SHA512
aa174e34ffda63187e09f267a6d4527a4959e3b0796175eb7f0f8cabbaf9b6b2e57e1e7f808b72c863836f87ced0303522b3612c0933ee494b3badf71839661e

Download Submit
C:\Program Files\McAfee\Temp2649851989\downloadscan.cab

Filesize
2.1MB

MD5
071b5d93a7dffff37eb2767d4b634919

SHA1
cc4c4990f63f0c19542e3d273929e1298526a797

SHA256
ad6a1b3fd003c9768821677c03a85e393545d65f24a375db8ce75a5b7917ccf3

SHA512
01fefb8e8422acb1ab954623048d50b30d22dcabfc2b5521cdb8312ae8ae82d6bf94a11c538a51fd92e69f95b5fc2021bac385e90d6bf151cef5610096b1cd7f

Download Submit
C:\Program Files\McAfee\Temp2649851989\eventmanager.cab

Filesize
1.4MB

MD5
73f45024d9d2924571af30d1dfe69214

SHA1
c80dfd09bfab8170f6127b1b88d631fd8d6fdc0e

SHA256
873ba52092a4f6a21ed79706d50eb7060ca800901c7bdf193ab026c6de93d428

SHA512
2c67029503c83b0cfa2ae7a900c124ba28f96a0ba4b952c7eac101a110b82a3db79317506ee72c8ebf9a191c30f8e9a385c17c5b2f1dce70828caa51dc49de0e

Download Submit
C:\Program Files\McAfee\Temp2649851989\installer.exe

Filesize
2.3MB

MD5
c6de8bfd9617b5e6b9cbb76c5b908a36

SHA1
77883bd93e6c2765c6e81029ed9be3ca94bd2ad1

SHA256
08a6eccb174aa8785e479d271579a1ce1472bfaaaec7816f4f9300adb9ac248e

SHA512
162a75148bdb44af8e9519dcd6951d56fc3e11028d4aa22c0efa5e2177037f5814285756594496674c28b14e8702df7651b5781f00f681cfb6fd13fe2b300400

Download Submit
C:\Program Files\McAfee\Temp2649851989\installer.exe

Filesize
2.3MB

MD5
c6de8bfd9617b5e6b9cbb76c5b908a36

SHA1
77883bd93e6c2765c6e81029ed9be3ca94bd2ad1

SHA256
08a6eccb174aa8785e479d271579a1ce1472bfaaaec7816f4f9300adb9ac248e

SHA512
162a75148bdb44af8e9519dcd6951d56fc3e11028d4aa22c0efa5e2177037f5814285756594496674c28b14e8702df7651b5781f00f681cfb6fd13fe2b300400

Download Submit
C:\Program Files\McAfee\Temp2649851989\l10n.cab

Filesize
253KB

MD5
ed7cd54edf61756bfc4edab6ceadc976

SHA1
d62e8e1d980beda3766c477e52fb97afbb55a547

SHA256
2ab5f8d97f7681d6412b9fff064289a62a4bb53f034d261dc4f9b85a1b645059

SHA512
b89f301750c770d74ea7effb8c9cb90e0d7adcf1942274ebb2d1ebbd95dc138bc56ef849ed1b55657eaf7eb73651a4b849fad6ed895c06942621cce957618aa8

Download Submit
C:\Program Files\McAfee\Temp2649851989\logicmodule.cab

Filesize
1.4MB

MD5
6dd2fb142006ad8bf25a6947d1373b2b

SHA1
d2560e72ad84b3ffdb7aeeb645ee5f6bf2355819

SHA256
7402780254ac19cbcd61396db7a705bd0ef999c2db21f61b6cc420b46d76de0e

SHA512
f97a367d1d0aa1cdad9f3b6b55f4a038cf05d1910346853745abdfbad5d541191ff9e2da45ab193626268e30b429aa5f184ec8119d6a1ae6523007acb8a1dcaf

Download Submit
C:\Program Files\McAfee\Temp2649851989\logicscripts.cab

Filesize
52KB

MD5
cb703e2d5f233d5653acb4e4a5a558ac

SHA1
b5354d49262665e4e7969dbbd5876d681a300e5a

SHA256
77077da345b09a0f2d86569b58cde1505588ebedb74e601c7ca4d3374e3599fe

SHA512
29a9b48d1ea7ba7f45d198931cfb0a6e618a52b2c72b77b98dd43abc5b3b62a7ec5057637c4bfeeca33b3ecdf397fac82cd7fc70996046685990d9a313f41cbe

Download Submit
C:\Program Files\McAfee\Temp2649851989\lookupmanager.cab

Filesize
502KB

MD5
5f090ded01d0bc97b87cb316589f7a47

SHA1
a8b260b4a39b4e55a8115e9d7f48b6495dd7dfbd

SHA256
bb5318dd5bdcaf94c059aeca1286389ace5302202357f4418d5f349e03ebb515

SHA512
248998802f274eb092d8ee365ab1ca21430284b57042ef5cb320f5cef4a46bee75cbd08f8c8d32b72f8e39fd5d67d78f819a18e28aab1fa1f4e6d41a7248d15c

Download Submit
C:\Program Files\McAfee\Temp2649851989\mfw-mwb.cab

Filesize
31KB

MD5
1f96c859ca01549305afc6b8515c2f2e

SHA1
e78e117d4c1547c472a1a16d6d5d967f5dd3ac3e

SHA256
d31ef95b405073a7319eccc04ad07fb78c59a3686d7124c65403aef4c33a6c45

SHA512
5cb7228e8e920489e3b1c8a17e4d933a704b130f933ff748200d4c788c0f382444f39f81c2da66aaa1a8fd00e833717b2eeb6c04f1da91c4aa92d1296ba594bf

Download Submit
C:\Program Files\McAfee\Temp2649851989\mfw-nps.cab

Filesize
33KB

MD5
c0fefa390eca8e15b8d6f7cebb15517a

SHA1
c028f27b3b0aa78c8ec6f2b8ecb48f22c82abddf

SHA256
43fea966f8f44852219a1b47f7da7940edd1a4a4f34817cdee364e98f3bc9d01

SHA512
14045baff357d28ee4b1ad7c195388268817ade849f836e7766f90b38face7813a444b8e798c47bb9898f7ae25e5441fa76ebc67617c4865412d573a7c751269

Download Submit
C:\Program Files\McAfee\Temp2649851989\mfw-webadvisor.cab

Filesize
741KB

MD5
03d5a5b2ff4942a12961c54ac603804b

SHA1
548fb05c175c43b227066bdc7cd7716fe02b52c6

SHA256
cb4d7ce878f8643c780841a58281a9e91cfdb989ee1cd8fb120d7c4dae8e24ba

SHA512
7af94ad90119f1c76ceb8d62336198595f896b2c4f4da469ea246986bea1e36e64035cb5a65e1e31db6b68d9b99348a2207e7082793efa8bdfa43e30734eee23

Download Submit
C:\Program Files\McAfee\Temp2649851989\mfw.cab

Filesize
309KB

MD5
d30a174a1cdfa635e0b582aa6fb753b6

SHA1
1574a5ba48873b555edafa26ffcc085682b7bb7e

SHA256
0e95874c6cd67292d56f481e6ad6f58714514884f52ba5e2ce23eda5f7752ac0

SHA512
6d0b49dc4e2a89180ffde343b7ca7b3e986daa119d6d641aeace456ef5c2c8c59bee59ac1fbad3910af588753090b1a45e5374bfea78480c6dabee57957a7f10

Download Submit
C:\Program Files\McAfee\Temp2649851989\resourcedll.cab

Filesize
52KB

MD5
313ebe3b4eee0ef05835cb152ce06cc4

SHA1
92ecb331c14ce733ce91a8700b46a96595953df9

SHA256
72193116f16aa7c00184910d9bf187731cb555408b7ce6b7f4f5d506d5e55277

SHA512
6006f3cff51c3fcd55b99bbde7c0c5bb5a61b42c619210a07795d9fdd1964f31bcd7e611645b95ff703aa9982c7f5d11f46a9d55dcd12d2e6866b1d3138cf30b

Download Submit
C:\Program Files\McAfee\Temp2649851989\servicehost.cab

Filesize
297KB

MD5
415431dd880e446bc2f463ca31744a6d

SHA1
7e77895e589ada0d6ad93ad56bad058f8a2cb7f3

SHA256
6a07967fbe421e0db983d77e8decbf15e36b6f789947b24235d7adef632f771d

SHA512
e3bcf33c44fb717ac22395549ae1d00dbec66b9664739ff3bd02a7929014d3a41c756496e8e408787d4d64ef89e4b79e3ce947ac690edd933d5a4849e6d18fdf

Download Submit
C:\Program Files\McAfee\Temp2649851989\settingmanager.cab

Filesize
784KB

MD5
2237de2fe1172bc432ae0bcff6670da8

SHA1
459ffc44ffacd0ed984d4f725c4f56768cd45ccb

SHA256
ee89f0924a0bcd7d96695c23e0e8087c2f8ce40274834d33ff8802445ea9474b

SHA512
d865c25d8cd4309d1498fd1242d99d473de9d6df48ad8da16a2bfcffc3b24a505d7f340b18e00bb6955565af3fc46db77c3b9f25e6bf8f1793898058fc6fbb44

Download Submit
C:\Program Files\McAfee\Temp2649851989\taskmanager.cab

Filesize
1.2MB

MD5
46580f3846a45678bf282c1b68b15415

SHA1
091fa49c79ddb13c15fa71df358b66207ec315e4

SHA256
7df502bf08b6397e8d3f5cdb2f276a0b26c8b440fd9ca6ae72674eb4dd3d9174

SHA512
bb79e17ec3f241f49bcb8b49bb7e9d21a8d731ec599c083a69e2ca58762c3f1b8e8dbd31b1692b81c6ad6428237c2d54c10f54ea34918b181c718ea77311fd09

Download Submit
C:\Program Files\McAfee\Temp2649851989\telemetry.cab

Filesize
81KB

MD5
e8a55c0acba9cd3c21dd82bab0918237

SHA1
90bf7a00e0ed3c5f83e2b4c9fcdfac605c8b0704

SHA256
3e850a76b0576465eb66310b4043e3cc2b0106f271502e281b78b8736d23264d

SHA512
da128836d8848214812178185ba7cc4cc704b4eecede0f33363d4c57eaf0a18081ca826bf76e09e175dac5176a7804b6577090b938253db484efa745c665b050

Download Submit
C:\Program Files\McAfee\Temp2649851989\uihost.cab

Filesize
293KB

MD5
d9c6459aa8041a2073ff3f6f8b4803dd

SHA1
8b503d8bdfea209b48507d7816c7f7fff2247b42

SHA256
e02729a1ae5c473a0bd567abc00bfcee9de1a7c1572a2e408d988abe07cb0a91

SHA512
39ad1cc15b32a912b89137b1e9d233c0ba8dc6cec3d653e0d25b87cc027fab4ed32d8acf59504f71066c9b0a719a5a55af5d517bec61497558a4868dc6799043

Download Submit
C:\Program Files\McAfee\Temp2649851989\uimanager.cab

Filesize
1.6MB

MD5
7c224bbe753c90f1a7206e46f72d3602

SHA1
8669845cbc60dc87371af64a779991a8ae229f84

SHA256
655d19d44b54d8b58122539838e2d5ea5f91ed571fab079a0fe4a3abe7441b38

SHA512
c559fd4a47a9a9edc1782d8ff5d266b63ef974e16d106626ecd5a3b1415316b2497b682bc7d5229bfe4a294eb4d4d31f0ca7622350a890e9c398c46cf40a0cc9

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

Filesize
302B

MD5
a2f013550acbeef57c971a827ba05eb2

SHA1
6abf1a409e05e0e8f966d724425076c25c4da113

SHA256
b027bd3e63d6bac87f91e8c5f4f7684096d36bffd127d14eab7ae06901cc47f0

SHA512
b56cf6d4f1f5a49e336bd722403ea94d9df411e7de8919fd2fc2eaf345e347a35af3e5c977e31576e28caf181eec6723a2bde9a288685b7912068e0982074346

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

Filesize
26.5MB

MD5
71e2f49b811292530cde0ec58f3192b9

SHA1
5b3efbc3c30a9292b6c435d6709cfceacc6c18e7

SHA256
37452c57e26e5e0706f1dfdb3976e78972157717c1856c14eb4a0c06dcc07b30

SHA512
9fdf4dfe2258ed593f39a7365d3f1ee4e248f96115b56f308c1e76f13e0eeb47d9a8a0232ad9f32e56254a494c245cb319bb84de94f239fa86ea42ff18f88b54

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

Filesize
1.2MB

MD5
28e464a5b7a6866a7370e7e45798356b

SHA1
3f89ea6ef255d9b1173818b9e93d61a378a855df

SHA256
31d538c7e6bb09457307fc84b0d7d2216f5a2a57d217b49f99ca75bdc6207283

SHA512
a582c2df74f2a97b17e6004831a1478f11b47a2105e558b57732a11d74edb6791dcf7a90e60a9061a554c35c866dbacbaabba11cc37b1fdf38d33d6f27963047

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

Filesize
1.2MB

MD5
28e464a5b7a6866a7370e7e45798356b

SHA1
3f89ea6ef255d9b1173818b9e93d61a378a855df

SHA256
31d538c7e6bb09457307fc84b0d7d2216f5a2a57d217b49f99ca75bdc6207283

SHA512
a582c2df74f2a97b17e6004831a1478f11b47a2105e558b57732a11d74edb6791dcf7a90e60a9061a554c35c866dbacbaabba11cc37b1fdf38d33d6f27963047

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-27PCN.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K9VE4.tmp\CheatEngine74.tmp

Filesize
2.9MB

MD5
4d79561b3017b113d73b58fc63842c7c

SHA1
2c5a7f630ce9d0d3b550ac4aadf2dde0e6434300

SHA256
c9952a7eb2c7ca76a6b245724b4c4401728b24e306848ec45d28e7b93dc2dd92

SHA512
61501239aad218f2d108d5a6d2acca67cfc766d8c561542a5e5d46ade039bc04f7a8b7770dba445e3a92d7a3199c9a2730d8185fe80ad0d32b9c9b7cd35a87eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\CheatEngine74.exe

Filesize
23.1MB

MD5
8f210e8bd05d93667412b67c092619a9

SHA1
9cafdc5c862cb30d5b982f8b2055fe4613401296

SHA256
5e9e9499cbdc5e77474918d8a6f09629f5fdc5cb41b78cffb83da64129543689

SHA512
27c75d9f2169b50446fe4b33dd5514dba268f5e08beddc75ec22d1b8092df85dd87fba2af037b2528fcd7ef8c258ecfc3f20a046bf8db6b35e60a92fe454a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\CheatEngine74.exe

Filesize
23.1MB

MD5
8f210e8bd05d93667412b67c092619a9

SHA1
9cafdc5c862cb30d5b982f8b2055fe4613401296

SHA256
5e9e9499cbdc5e77474918d8a6f09629f5fdc5cb41b78cffb83da64129543689

SHA512
27c75d9f2169b50446fe4b33dd5514dba268f5e08beddc75ec22d1b8092df85dd87fba2af037b2528fcd7ef8c258ecfc3f20a046bf8db6b35e60a92fe454a1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod0_extract\saBSI.exe

Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod0_extract\saBSI.exe

Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod1.exe

Filesize
44KB

MD5
af11135c282ad76ad8f0ca7e8676d427

SHA1
cd9592105e6c6e9276e7de79a690a2feb57aaff5

SHA256
e7f89c2b7bf1c6d438d67540371694df91d3df384c0cb7e0ae937ef2c999b20a

SHA512
4d7d254a4c8d1749b3feada1f2d2d651abe9506df583c46fa98792272b6c06c880902872f902024fb9f854f28c79294dd2fbbb2a6381965e01461674d7e6b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\prod1.exe

Filesize
44KB

MD5
af11135c282ad76ad8f0ca7e8676d427

SHA1
cd9592105e6c6e9276e7de79a690a2feb57aaff5

SHA256
e7f89c2b7bf1c6d438d67540371694df91d3df384c0cb7e0ae937ef2c999b20a

SHA512
4d7d254a4c8d1749b3feada1f2d2d651abe9506df583c46fa98792272b6c06c880902872f902024fb9f854f28c79294dd2fbbb2a6381965e01461674d7e6b11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MQ1U3.tmp\CheatEngine74.tmp

Filesize
2.5MB

MD5
78eaf97510518dabca6bda558eb23d65

SHA1
e52fc6832e7471cd80b1c6ea9826302386daeab2

SHA256
280e83e09d1e6a0f751347dcfedcf49df293531b1e3847ca28363e52c569ad1a

SHA512
33c176eb987449fa7f8bc9ce50a813adb95013dcf3bfd7e3788fb2dd0d629c695aa7126dfa54e36c62534f18addeec503843e74fb1d448f441f7ceb92be379b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MQ1U3.tmp\CheatEngine74.tmp

Filesize
2.5MB

MD5
78eaf97510518dabca6bda558eb23d65

SHA1
e52fc6832e7471cd80b1c6ea9826302386daeab2

SHA256
280e83e09d1e6a0f751347dcfedcf49df293531b1e3847ca28363e52c569ad1a

SHA512
33c176eb987449fa7f8bc9ce50a813adb95013dcf3bfd7e3788fb2dd0d629c695aa7126dfa54e36c62534f18addeec503843e74fb1d448f441f7ceb92be379b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\RAVEndPointProtection-installer.exe

Filesize
528KB

MD5
18bf9a6aaee2c4c35e4c35c4c28a54d0

SHA1
0622648073c45bb171b2e0b9d7ef6dffe3d643eb

SHA256
3bf349426c78ae9d395c9194d60d1158befad73b46a05d6dc0018774e257e3ee

SHA512
97fcf5194165d3da0d6be723a39c3d996723aebbe128128b89fb5e56f47017573844649039a26fb2214660aa44548ee7638d2f70c1c4e1998dae083925b88340

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\RAVEndPointProtection-installer.exe

Filesize
528KB

MD5
18bf9a6aaee2c4c35e4c35c4c28a54d0

SHA1
0622648073c45bb171b2e0b9d7ef6dffe3d643eb

SHA256
3bf349426c78ae9d395c9194d60d1158befad73b46a05d6dc0018774e257e3ee

SHA512
97fcf5194165d3da0d6be723a39c3d996723aebbe128128b89fb5e56f47017573844649039a26fb2214660aa44548ee7638d2f70c1c4e1998dae083925b88340

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\rsAtom.dll

Filesize
183KB

MD5
ecb88004da4968487c3dcdb25fe7f57e

SHA1
5e93b366fa5572d364812ab1bd58e4de4e609189

SHA256
317a5fb24c22592ce35731eb9669c72993084d00f245672112f73174f9d5868d

SHA512
a78db3bc382a2eeda1f5fdaba63eb8fb423bbb1c75cbfe6c9c269d44f1cdb588494511647c2ea511773c2811fbcadb2fe127c9eabbc517b4cf3c0ec35952533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\rsJSON.dll

Filesize
227KB

MD5
95279ce2eba7d42a5a365d0830afab02

SHA1
93d56fb27a57818d0a2e66f65865ad287b269f2d

SHA256
d57c85d40f0ea20de46196c58df69551cc5c7291367d5f3849dcd053bd4f3569

SHA512
091ed0c9781f40eb1fc9c9bf55c924414174a1ce6baa09dec69e749872ca56fcbeeac0c69fea3477ef673144cc1d7637c7f0b8197ad6fc9e23072e1f8a80224d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\rsLogger.dll

Filesize
185KB

MD5
ecdfb913b5ac16a1b05efb4fa9ccd9a9

SHA1
6a27d6991fb1063c86868ffba6deb31867c5f1d4

SHA256
be03f866bb2bb9ea01d2e7671c9dd82fe2a2453fd7621327e70969db35617f50

SHA512
c604a896e597272a0edbed9cf281910635439e9662732137b7c150df8d097ed94f55cf4e8f4f2ae0c4816b37f897692f3e7c34acb31f8699bc9ab21ea0ec7511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\rsStubLib.dll

Filesize
207KB

MD5
44b0cb09cd849e07c101976a94dd3cd3

SHA1
c986d848d0a1006f82b54f37742fe1524fe12a24

SHA256
767e7db8a18c754ba6b896b8354aa09a2ed13c3d2e6543b77beb65224d641d9c

SHA512
3ef994f27ba137bc503d04f409f00ec085ea4a15e8026b85944814602cd37e01506bec8dd735e8bb884fa83cc4856160d903fefbdb73e52ba42d513af2319aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3F1D.tmp\rsSyncSvc.exe

Filesize
578KB

MD5
ad273dae5c6d7ad0317e8471a6a8c4fa

SHA1
60013851dbd0c70a6183299c95a5e92283260a51

SHA256
8d0ef4a070b16a89c2f5b16eba3bd176c2f507e46a8b9c54259ec41d4ec6f903

SHA512
280985c24a31fee7ad43996f2e10a198553f486cdee0d6e5439e603c351fe92bf5531c8246220c441fb511a54724b4ebbc3b6fbd6ed94a65285200b4ebf063be

Download Submit
C:\Users\Admin\AppData\Local\Temp\xk12rjll.exe

Filesize
1.5MB

MD5
80c8cf12e1eb7bd16eafacdca49ec2ab

SHA1
23c45af36a5fbcbadfb92a5df150fefad0954fe1

SHA256
db223921eacffdeae7ae941f9c9e1ea66100c92069e8a0f905a932721dc04296

SHA512
e5673c7448f73a416f9d2088044789b4b4530046041e2334025824bb2d6f1e80ee3367a3dd05c376a471c1fcd90bb2829b022a8c862cdf487a29422771bf037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xk12rjll.exe

Filesize
1.5MB

MD5
80c8cf12e1eb7bd16eafacdca49ec2ab

SHA1
23c45af36a5fbcbadfb92a5df150fefad0954fe1

SHA256
db223921eacffdeae7ae941f9c9e1ea66100c92069e8a0f905a932721dc04296

SHA512
e5673c7448f73a416f9d2088044789b4b4530046041e2334025824bb2d6f1e80ee3367a3dd05c376a471c1fcd90bb2829b022a8c862cdf487a29422771bf037e

Download Submit
\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-KLS1F.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/752-1049-0x000002155A7D0000-0x000002155A806000-memory.dmp

Filesize
216KB

Download
memory/756-970-0x0000027758D70000-0x0000027758D94000-memory.dmp

Filesize
144KB

Download
memory/756-996-0x000002775A530000-0x000002775A7BC000-memory.dmp

Filesize
2.5MB

Download
memory/756-1045-0x000002775AB60000-0x000002775AB88000-memory.dmp

Filesize
160KB

Download
memory/756-1039-0x000002775AAC0000-0x000002775AAF8000-memory.dmp

Filesize
224KB

Download
memory/756-1041-0x000002775AA80000-0x000002775AAA4000-memory.dmp

Filesize
144KB

Download
memory/756-1046-0x000002775B870000-0x000002775B8DE000-memory.dmp

Filesize
440KB

Download
memory/756-1037-0x000002775AA50000-0x000002775AA7E000-memory.dmp

Filesize
184KB

Download
memory/756-1036-0x000002775AA20000-0x000002775AA44000-memory.dmp

Filesize
144KB

Download
memory/756-1035-0x000002775A4E0000-0x000002775A504000-memory.dmp

Filesize
144KB

Download
memory/756-1032-0x0000027759C80000-0x0000027759CE6000-memory.dmp

Filesize
408KB

Download
memory/756-1047-0x000002775B8E0000-0x000002775B946000-memory.dmp

Filesize
408KB

Download
memory/756-1034-0x000002775BA20000-0x000002775BCA0000-memory.dmp

Filesize
2.5MB

Download
memory/756-1040-0x000002775BCA0000-0x000002775BEEC000-memory.dmp

Filesize
2.3MB

Download
memory/756-1031-0x0000027759C10000-0x0000027759C7C000-memory.dmp

Filesize
432KB

Download
memory/756-1028-0x0000027759B70000-0x0000027759B98000-memory.dmp

Filesize
160KB

Download
memory/756-1033-0x000002775A4A0000-0x000002775A4DA000-memory.dmp

Filesize
232KB

Download
memory/756-971-0x0000027758DE0000-0x0000027758E14000-memory.dmp

Filesize
208KB

Download
memory/756-1023-0x0000027759B40000-0x0000027759B66000-memory.dmp

Filesize
152KB

Download
memory/756-1044-0x000002775B7A0000-0x000002775B7FC000-memory.dmp

Filesize
368KB

Download
memory/756-1017-0x0000027758EE0000-0x0000027758F05000-memory.dmp

Filesize
148KB

Download
memory/756-974-0x0000027758EA0000-0x0000027758ED6000-memory.dmp

Filesize
216KB

Download
memory/756-1050-0x000002775B800000-0x000002775B824000-memory.dmp

Filesize
144KB

Download
memory/756-973-0x0000027758E60000-0x0000027758E98000-memory.dmp

Filesize
224KB

Download
memory/756-972-0x0000027758E20000-0x0000027758E52000-memory.dmp

Filesize
200KB

Download
memory/756-975-0x0000027758F10000-0x0000027758F3E000-memory.dmp

Filesize
184KB

Download
memory/756-976-0x0000027758FD0000-0x000002775902E000-memory.dmp

Filesize
376KB

Download
memory/756-978-0x0000027759F30000-0x000002775A295000-memory.dmp

Filesize
3.4MB

Download
memory/756-981-0x0000027758F70000-0x0000027758FBF000-memory.dmp

Filesize
316KB

Download
memory/756-1042-0x000002775AB00000-0x000002775AB2C000-memory.dmp

Filesize
176KB

Download
memory/756-1006-0x0000027759AD0000-0x0000027759B34000-memory.dmp

Filesize
400KB

Download
memory/756-1015-0x0000027759070000-0x00000277590AA000-memory.dmp

Filesize
232KB

Download
memory/1120-1030-0x0000021F23A70000-0x0000021F23AA8000-memory.dmp

Filesize
224KB

Download
memory/1120-1038-0x0000021F3E580000-0x0000021F3E5CC000-memory.dmp

Filesize
304KB

Download
memory/1640-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1640-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/1712-965-0x0000019B8FB30000-0x0000019B8FB8A000-memory.dmp

Filesize
360KB

Download
memory/1712-966-0x0000019B8FF20000-0x0000019B8FF74000-memory.dmp

Filesize
336KB

Download
memory/1712-967-0x0000019B8FFA0000-0x0000019B8FFC6000-memory.dmp

Filesize
152KB

Download
memory/1712-968-0x0000019B8FB30000-0x0000019B8FB8A000-memory.dmp

Filesize
360KB

Download
memory/1712-969-0x0000019BAA840000-0x0000019BAAA6C000-memory.dmp

Filesize
2.2MB

Download
memory/2340-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-257-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2340-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-153-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2340-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-158-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2340-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-946-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2340-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/3168-519-0x0000020ABB190000-0x0000020ABB1BE000-memory.dmp

Filesize
184KB

Download
memory/3168-876-0x0000020AD5570000-0x0000020AD55E6000-memory.dmp

Filesize
472KB

Download
memory/3168-574-0x0000020AD5100000-0x0000020AD512E000-memory.dmp

Filesize
184KB

Download
memory/3168-877-0x0000020AD54F0000-0x0000020AD550C000-memory.dmp

Filesize
112KB

Download
memory/3168-481-0x0000020AB94B0000-0x0000020AB9532000-memory.dmp

Filesize
520KB

Download
memory/3168-543-0x0000020AD50C0000-0x0000020AD50F8000-memory.dmp

Filesize
224KB

Download
memory/3168-889-0x0000020AD5530000-0x0000020AD554E000-memory.dmp

Filesize
120KB

Download
memory/3168-501-0x0000020ABB150000-0x0000020ABB184000-memory.dmp

Filesize
208KB

Download
memory/3900-420-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3900-859-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3900-610-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4232-957-0x000001B5EB330000-0x000001B5EB36E000-memory.dmp

Filesize
248KB

Download
memory/4232-956-0x000001B5E99E0000-0x000001B5E99F2000-memory.dmp

Filesize
72KB

Download
memory/4232-954-0x000001B5E9650000-0x000001B5E967E000-memory.dmp

Filesize
184KB

Download
memory/4232-955-0x000001B5E9650000-0x000001B5E967E000-memory.dmp

Filesize
184KB

Download
memory/5032-960-0x0000026BEAF10000-0x0000026BEB08A000-memory.dmp

Filesize
1.5MB

Download
memory/5032-962-0x0000026BEACB0000-0x0000026BEACD2000-memory.dmp

Filesize
136KB

Download
memory/5032-961-0x0000026BEAC60000-0x0000026BEAC7A000-memory.dmp

Filesize
104KB

Download
memory/5032-959-0x0000026BEB5C0000-0x0000026BEB924000-memory.dmp

Filesize
3.4MB

Download
memory/5032-958-0x0000026BEB090000-0x0000026BEB5BA000-memory.dmp

Filesize
5.2MB

Download
memory/5092-316-0x000001D5669D0000-0x000001D566EF6000-memory.dmp

Filesize
5.1MB

Download
memory/5092-308-0x000001D54C0B0000-0x000001D54C0B8000-memory.dmp

Filesize
32KB

Download