5afab3f026d198ed6a6c03f72644a62ef066c320d68c124c6250d4f18f285c00

Analysis

max time kernel
85s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.6MB
MD5

c1b4681a48b60f4564efea5b01a969b6
SHA1

91a4fdd6d61d715bb27038f6be56204a2a9f1967
SHA256

5afab3f026d198ed6a6c03f72644a62ef066c320d68c124c6250d4f18f285c00
SHA512

e9f8b46ba0693ee6f07266679df5bced9c070bfd6b1169e54027a3cf7bdf9bd479ac3d05b703868bfecfa0691a6e0dc32f142e4e6207818d3a4207c0ca8902ca
SSDEEP

786432:pCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHcU:AEXFhV0KAcNjxAItjcU

Score

9^/10

coreentity discovery evasion persistence

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Program Files\ReasonLabs\EPP\mc.dll	coreentity

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

5040 icacls.exe
3096 icacls.exe

pid	process
5040	icacls.exe
3096	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

CheatEngine75.tmpinstaller.exeRAVEndPointProtection-installer.exeinstaller.exe

description	ioc	process
File opened for modification	C:\Program Files\Cheat Engine 7.5\winhook-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp2510445458\jslang\wa-res-shared-el-GR.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-3QIU4.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.2.0\locales\ml.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-confirm.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\browsernavigate.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\usage_calculation.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\formatters\eventformatter_ga.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\wa-utils.js	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\wa_logo2.png	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-AC8NR.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wa-controller-mwb-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\webadvisor.mcafee.chrome.extension.json	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\toggle_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\simplewmiquery.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\ipc_stats_handler.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\jslang\wa-res-shared-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\jslang\eula-sk-SK.txt	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\jslang\wa-res-install-fi-FI.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-2U6RF.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\settings-icon.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-checklist-risk.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\searchannotations.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\smareputationcounter.luc	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-NAON6.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\browserutils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\downloadscan.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\icon_laptop.png	installer.exe
File created	C:\Program Files\McAfee\Temp2510445458\jslang\wa-res-shared-cs-CZ.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.2.0\locales\he.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-IMCRO.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-OSQ13.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\sendonping.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsssetting.luc	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-R53KK.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-nb-NO.js	installer.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\Uninstall.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.2.0\locales\en-US.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-68AP4.tmp	CheatEngine75.tmp

Executes dropped EXE 16 IoCs

Processes:

CheatEngine75.tmpsaBSI.exeprod1.exeCheatEngine75.exed4drmoqs.exeCheatEngine75.tmpsaBSI.exeRAVEndPointProtection-installer.exe_setup64.tmprsSyncSvc.exersSyncSvc.exeinstaller.exeinstaller.exeKernelmoduleunloader.exeregsvr32.exeServiceHost.exe

pid	process
1812	CheatEngine75.tmp
1988	saBSI.exe
4936	prod1.exe
4716	CheatEngine75.exe
4080	d4drmoqs.exe
2280	CheatEngine75.tmp
1724	saBSI.exe
1136	RAVEndPointProtection-installer.exe
3024	_setup64.tmp
3152	rsSyncSvc.exe
1124	rsSyncSvc.exe
4984	installer.exe
884	installer.exe
4612	Kernelmoduleunloader.exe
2700	regsvr32.exe
5968	ServiceHost.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4476 sc.exe
4076 sc.exe
1364 sc.exe
5528 sc.exe
5872 sc.exe
3096 sc.exe

pid	process
4476	sc.exe
4076	sc.exe
1364	sc.exe
5528	sc.exe
5872	sc.exe
3096	sc.exe

Loads dropped DLL 14 IoCs

Processes:

CheatEngine75.tmpd4drmoqs.exeRAVEndPointProtection-installer.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeServiceHost.exe

pid	process
1812	CheatEngine75.tmp
1812	CheatEngine75.tmp
1812	CheatEngine75.tmp
4080	d4drmoqs.exe
1136	RAVEndPointProtection-installer.exe
3328	regsvr32.exe
2700	regsvr32.exe
5916	regsvr32.exe
5960	regsvr32.exe
5968	ServiceHost.exe
5968	ServiceHost.exe
5968	ServiceHost.exe
5968	ServiceHost.exe
5968	ServiceHost.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5576	5968	WerFault.exe	ServiceHost.exe
5200	2380	WerFault.exe	ServiceHost.exe
2980	6012	WerFault.exe	ServiceHost.exe
1408	5100	WerFault.exe	ServiceHost.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

ServiceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe

Modifies registry class 42 IoCs

Processes:

CheatEngine75.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

saBSI.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Runs net.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

saBSI.exesaBSI.exeCheatEngine75.tmpRAVEndPointProtection-installer.exeServiceHost.exe

pid	process
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1988	saBSI.exe
1724	saBSI.exe
1724	saBSI.exe
2280	CheatEngine75.tmp
2280	CheatEngine75.tmp
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
1136	RAVEndPointProtection-installer.exe
5968	ServiceHost.exe
5968	ServiceHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

prod1.exeRAVEndPointProtection-installer.exe

description pid process

Token: SeDebugPrivilege 4936 prod1.exe
Token: SeDebugPrivilege 1136 RAVEndPointProtection-installer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CheatEngine75.tmpCheatEngine75.tmp

pid process

1812 CheatEngine75.tmp
2280 CheatEngine75.tmp

description	pid	process
Token: SeDebugPrivilege	4936	prod1.exe
Token: SeDebugPrivilege	1136	RAVEndPointProtection-installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CheatEngine75.exeCheatEngine75.tmpprod1.exeCheatEngine75.exesaBSI.exed4drmoqs.exeCheatEngine75.tmpDllHost.exenet.exeRAVEndPointProtection-installer.exesaBSI.exeinstaller.exeinstaller.exeregsvr32.exe

description	pid	process	target process
PID 4656 wrote to memory of 1812	4656	CheatEngine75.exe	CheatEngine75.tmp
PID 4656 wrote to memory of 1812	4656	CheatEngine75.exe	CheatEngine75.tmp
PID 4656 wrote to memory of 1812	4656	CheatEngine75.exe	CheatEngine75.tmp
PID 1812 wrote to memory of 1988	1812	CheatEngine75.tmp	saBSI.exe
PID 1812 wrote to memory of 1988	1812	CheatEngine75.tmp	saBSI.exe
PID 1812 wrote to memory of 1988	1812	CheatEngine75.tmp	saBSI.exe
PID 1812 wrote to memory of 4936	1812	CheatEngine75.tmp	prod1.exe
PID 1812 wrote to memory of 4936	1812	CheatEngine75.tmp	prod1.exe
PID 1812 wrote to memory of 4716	1812	CheatEngine75.tmp	CheatEngine75.exe
PID 1812 wrote to memory of 4716	1812	CheatEngine75.tmp	CheatEngine75.exe
PID 1812 wrote to memory of 4716	1812	CheatEngine75.tmp	CheatEngine75.exe
PID 4936 wrote to memory of 4080	4936	prod1.exe	d4drmoqs.exe
PID 4936 wrote to memory of 4080	4936	prod1.exe	d4drmoqs.exe
PID 4936 wrote to memory of 4080	4936	prod1.exe	d4drmoqs.exe
PID 4716 wrote to memory of 2280	4716	CheatEngine75.exe	CheatEngine75.tmp
PID 4716 wrote to memory of 2280	4716	CheatEngine75.exe	CheatEngine75.tmp
PID 4716 wrote to memory of 2280	4716	CheatEngine75.exe	CheatEngine75.tmp
PID 1988 wrote to memory of 1724	1988	saBSI.exe	saBSI.exe
PID 1988 wrote to memory of 1724	1988	saBSI.exe	saBSI.exe
PID 1988 wrote to memory of 1724	1988	saBSI.exe	saBSI.exe
PID 4080 wrote to memory of 1136	4080	d4drmoqs.exe	RAVEndPointProtection-installer.exe
PID 4080 wrote to memory of 1136	4080	d4drmoqs.exe	RAVEndPointProtection-installer.exe
PID 2280 wrote to memory of 4852	2280	CheatEngine75.tmp	DllHost.exe
PID 2280 wrote to memory of 4852	2280	CheatEngine75.tmp	DllHost.exe
PID 4852 wrote to memory of 1420	4852	DllHost.exe	net1.exe
PID 4852 wrote to memory of 1420	4852	DllHost.exe	net1.exe
PID 2280 wrote to memory of 4360	2280	CheatEngine75.tmp	net.exe
PID 2280 wrote to memory of 4360	2280	CheatEngine75.tmp	net.exe
PID 4360 wrote to memory of 1924	4360	net.exe	net1.exe
PID 4360 wrote to memory of 1924	4360	net.exe	net1.exe
PID 2280 wrote to memory of 4476	2280	CheatEngine75.tmp	sc.exe
PID 2280 wrote to memory of 4476	2280	CheatEngine75.tmp	sc.exe
PID 2280 wrote to memory of 3096	2280	CheatEngine75.tmp	icacls.exe
PID 2280 wrote to memory of 3096	2280	CheatEngine75.tmp	icacls.exe
PID 2280 wrote to memory of 3024	2280	CheatEngine75.tmp	_setup64.tmp
PID 2280 wrote to memory of 3024	2280	CheatEngine75.tmp	_setup64.tmp
PID 2280 wrote to memory of 5040	2280	CheatEngine75.tmp	icacls.exe
PID 2280 wrote to memory of 5040	2280	CheatEngine75.tmp	icacls.exe
PID 1136 wrote to memory of 3152	1136	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 1136 wrote to memory of 3152	1136	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 1724 wrote to memory of 4984	1724	saBSI.exe	installer.exe
PID 1724 wrote to memory of 4984	1724	saBSI.exe	installer.exe
PID 4984 wrote to memory of 884	4984	installer.exe	installer.exe
PID 4984 wrote to memory of 884	4984	installer.exe	installer.exe
PID 2280 wrote to memory of 4612	2280	CheatEngine75.tmp	Kernelmoduleunloader.exe
PID 2280 wrote to memory of 4612	2280	CheatEngine75.tmp	Kernelmoduleunloader.exe
PID 2280 wrote to memory of 4612	2280	CheatEngine75.tmp	Kernelmoduleunloader.exe
PID 884 wrote to memory of 4076	884	installer.exe	sc.exe
PID 884 wrote to memory of 4076	884	installer.exe	sc.exe
PID 884 wrote to memory of 1140	884	installer.exe	regsvr32.exe
PID 884 wrote to memory of 1140	884	installer.exe	regsvr32.exe
PID 1140 wrote to memory of 3328	1140	regsvr32.exe	regsvr32.exe
PID 1140 wrote to memory of 3328	1140	regsvr32.exe	regsvr32.exe
PID 1140 wrote to memory of 3328	1140	regsvr32.exe	regsvr32.exe
PID 884 wrote to memory of 1364	884	installer.exe	sc.exe
PID 884 wrote to memory of 1364	884	installer.exe	sc.exe
PID 2280 wrote to memory of 2700	2280	CheatEngine75.tmp	regsvr32.exe
PID 2280 wrote to memory of 2700	2280	CheatEngine75.tmp	regsvr32.exe
PID 2280 wrote to memory of 2700	2280	CheatEngine75.tmp	regsvr32.exe
PID 2280 wrote to memory of 3096	2280	CheatEngine75.tmp	icacls.exe
PID 2280 wrote to memory of 3096	2280	CheatEngine75.tmp	icacls.exe
PID 884 wrote to memory of 2700	884	installer.exe	regsvr32.exe
PID 884 wrote to memory of 2700	884	installer.exe	regsvr32.exe
PID 884 wrote to memory of 5528	884	installer.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\is-RVGKP.tmp\CheatEngine75.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RVGKP.tmp\CheatEngine75.tmp" /SL5="$12003A,29086952,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0_extract\saBSI.exe" /affid 91088 PaidDistribution=true
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984

C:\Program Files\McAfee\Temp2510445458\installer.exe
"C:\Program Files\McAfee\Temp2510445458\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
6⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SYSTEM32\sc.exe
sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:4076

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
8⤵
- Loads dropped DLL
- Modifies registry class
PID:3328

C:\Windows\SYSTEM32\sc.exe
sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
7⤵
- Launches sc.exe
PID:1364

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2700

C:\Windows\SYSTEM32\sc.exe
sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
7⤵
- Launches sc.exe
PID:5528

C:\Windows\SYSTEM32\sc.exe
sc.exe start "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:5872

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
7⤵
PID:5912

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
8⤵
- Loads dropped DLL
- Modifies registry class
PID:5916

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5960

C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod1.exe
"C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod1.exe" -ip:"dui=320257d5-a40a-4005-a66a-f8da3659bec3&dit=20230731152253&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=320257d5-a40a-4005-a66a-f8da3659bec3&dit=20230731152253&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=320257d5-a40a-4005-a66a-f8da3659bec3&dit=20230731152253&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe
"C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe" /silent
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
- Executes dropped EXE
PID:3152

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
6⤵
PID:1716

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
PID:5596

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:1644

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
6⤵
PID:5972

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
6⤵
PID:6088

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
6⤵
PID:5576

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
6⤵
PID:2128

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
6⤵
PID:5744

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
6⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Local\Temp\is-3MD7E.tmp\CheatEngine75.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3MD7E.tmp\CheatEngine75.tmp" /SL5="$701FA,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SYSTEM32\net.exe
"net" stop BadlionAntic
5⤵
PID:4852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BadlionAntic
6⤵
PID:1420

C:\Windows\SYSTEM32\net.exe
"net" stop BadlionAnticheat
5⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BadlionAnticheat
6⤵
PID:1924

C:\Windows\SYSTEM32\sc.exe
"sc" delete BadlionAnticheat
5⤵
- Launches sc.exe
PID:3096

C:\Users\Admin\AppData\Local\Temp\is-H4KVE.tmp\_isetup\_setup64.tmp
helper 105 0x444
5⤵
- Executes dropped EXE
PID:3024

C:\Windows\SYSTEM32\sc.exe
"sc" delete BadlionAntic
5⤵
- Launches sc.exe
PID:4476

C:\Windows\system32\icacls.exe
"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
5⤵
- Modifies file permissions
PID:5040

C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
5⤵
- Executes dropped EXE
PID:4612

C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
"C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
5⤵
PID:2700

C:\Windows\system32\icacls.exe
"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
5⤵
- Modifies file permissions
PID:3096

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
"C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
3⤵
PID:3384

C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
"C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
4⤵
PID:2280

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5968

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
PID:2268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5968 -s 2628
2⤵
- Program crash
PID:5576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 5968 -ip 5968
1⤵
PID:5784

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:2380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2380 -s 2232
2⤵
- Program crash
PID:5200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 2380 -ip 2380
1⤵
PID:5288

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:6012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6012 -s 2480
2⤵
- Program crash
PID:2980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 6012 -ip 6012
1⤵
PID:2124

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5100 -s 2236
2⤵
- Program crash
PID:1408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 5100 -ip 5100
1⤵
PID:4360

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:5160

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:2324

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll
Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll
Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png
Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll
Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll
Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll
Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll
Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll
Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-79JL6.tmp
Filesize
12.2MB

MD5
5be6a65f186cf219fa25bdd261616300

SHA1
b5d5ae2477653abd03b56d1c536c9a2a5c5f7487

SHA256
274e91a91a7a520f76c8e854dc42f96484af2d69277312d861071bde5a91991c

SHA512
69634d85f66127999ea4914a93b3b7c90bc8c8fab1b458cfa6f21ab0216d1dacc50976354f7f010bb31c5873cc2d2c30b4a715397fb0e9e01a5233c2521e7716

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll
Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll
Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll
Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll
Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll
Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll
Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\unins000.exe
Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll
Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll
Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll
Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll
Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\McAfee\Temp2510445458\analyticsmanager.cab
Filesize
2.0MB

MD5
86fee5b9bb9cfdf353e8a61875fabfb4

SHA1
4c7ee42340e7dcece81bb7ac9103f574432a0dab

SHA256
82682a315c6e6dc74696d0604a4dd3f4c0aee7399cda474445fefdb089233b4b

SHA512
93747217e144dba764003e93db489eea7313d7f57b22846d6d2a032f610e324c9e10c7d4aa561d62e73dfb7f9e0b02496a73caae99543808e44693ac4df50865

Download Submit
C:\Program Files\McAfee\Temp2510445458\analyticstelemetry.cab
Filesize
53KB

MD5
fbbaa183dee23a96dabe8537d72ef6d8

SHA1
86147cde6d65235529244a78120ee8b9d74ea8ee

SHA256
ed0f925bbd443dcf035615d16304bcf83f972d37113bac0e44d37efd78437cbb

SHA512
c4bdc822d9b1040534e5dd1d74c29f06dfcb506d0a430cae7cdb2194eb8d1e14c89e9d61dc74c070e1d5b2646f09eea84d08e50ec46ab1a634949c940aa774b5

Download Submit
C:\Program Files\McAfee\Temp2510445458\browserhost.cab
Filesize
1.2MB

MD5
b4c71bb7aa91029e6fb020c11d1a70bb

SHA1
5fc17bca35e1ef1143ff8817cce9d36f5b938b2b

SHA256
2187858cfec3899c8b99e9a9c398ae7a8e405df9a8495c8a5ef6a26c9b95ec47

SHA512
26498e99974b949b6cd22c8640bd24478926bcdbc43a7fbaf2b8cb0f9fd5f98b8025efad1e9350018ec8be037c59c8130f25a15477b6b2753654c53644c8137c

Download Submit
C:\Program Files\McAfee\Temp2510445458\browserplugin.cab
Filesize
4.9MB

MD5
c45add0b40a161f401614ec5d570526d

SHA1
35bf86a32a0fbeb58efbe38671f572a0e1c9a9b6

SHA256
b12c3ea8a055000736e39ac177aeacd53b9d5c2a90c54fd686e20427b1b30c29

SHA512
64b6c56c73cc94f2f56e6722941e553fbcea804afe2d1cf0fcb5641c65ce1ec457809cb226ef3d047b086f6ddc7db1f9927041bc09dac9c502894cafb6ddd239

Download Submit
C:\Program Files\McAfee\Temp2510445458\downloadscan.cab
Filesize
2.2MB

MD5
0fb7900f3704813598e67af082b6259e

SHA1
8f054ef0d2d4fa893403d1e068a5be98a2b1033f

SHA256
7d17c5d1643bd35f35cb74aa34a24d13f21c8bd84053a2e1766881f4936afd24

SHA512
f6062334892add1b1284f978963655f2098e77a3bed446de6f2bcaad2769690857c15c12202d7a39da3347734c8a54e74e005de7dff358a8b6610bddb5b38580

Download Submit
C:\Program Files\McAfee\Temp2510445458\eventmanager.cab
Filesize
1.5MB

MD5
e54a50e177892dfcf19ee9f6a578aa56

SHA1
a674ca9d53414a354697e0c6e45c9334b65dbc69

SHA256
9cbc6c4d5584f07de8b9a03771b1b1063993cd96d44abe47259322e306ed4079

SHA512
b301b2c62bd1065e0e7262f81aa44af3df8fe5280f1dbc9e15bcaba04b682e517809db2217682135a20dd9b136a2ed10b39f023a88ce08b6c417da03e2f7b583

Download Submit
C:\Program Files\McAfee\Temp2510445458\installer.exe
Filesize
2.4MB

MD5
a956b1f95962c9e2c96997ded7fa119a

SHA1
56295948f4de77fbd518334bd2807045589f7c05

SHA256
f45afc50a1e32dafeb35e77a4aa9463ea4c8ddfe2b02c3ed212c4b6b78d393ed

SHA512
3c181779009bbf02adb453c027bd761529f3dea7497bd2ed81e857a703f899007c9fb33507e8476996c6fe64c5c7380dc86bf8b513442022593df010d6a0a75e

Download Submit
C:\Program Files\McAfee\Temp2510445458\installer.exe
Filesize
2.4MB

MD5
a956b1f95962c9e2c96997ded7fa119a

SHA1
56295948f4de77fbd518334bd2807045589f7c05

SHA256
f45afc50a1e32dafeb35e77a4aa9463ea4c8ddfe2b02c3ed212c4b6b78d393ed

SHA512
3c181779009bbf02adb453c027bd761529f3dea7497bd2ed81e857a703f899007c9fb33507e8476996c6fe64c5c7380dc86bf8b513442022593df010d6a0a75e

Download Submit
C:\Program Files\McAfee\Temp2510445458\l10n.cab
Filesize
274KB

MD5
5b7abd401fa1ee781103df8139f2a6e9

SHA1
d6e5006285feca5c9456aa0b7b1d8eabb77feb51

SHA256
ec6a2d4e37b8f8e9bf207a1319b5c5bf3910e6d7327006590cb5ac95e585350e

SHA512
bcd6e5ddc5282b433f11517e52640ce50cf1f33dd9687d84c45589a8428eef1271e8764a7995cbf77e48b7b22147c63fd658a15b98cf85391b9ed964dfca1d2e

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
71KB

MD5
a7ea920d69e87e4368dd96bee21043c5

SHA1
55b77edfb64343a30c07c922db77b2dac8e07e6e

SHA256
431b6243620ed9174057d26ba97c46b3e0313d7b4fc9633a68cfdd45c0d8fa8a

SHA512
8f0064ee744ebc1dbacb504be13ef8d90d4d96fd90dfe1fce83e49b677d4d3a1df818a14e7a9948d1bd775345b91284e79d6df6e6d5d47e2331ee4fb695e1120

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
323KB

MD5
4a674a9a3e6df14f70d951158924589e

SHA1
aadfb1cd2fbd62fd5fa12a8e3dbfa6ad5433423f

SHA256
33ee4594a498c35534d8b678d3679f0efe6b777fb1d476448daca4ba9c9887a2

SHA512
098b26165fea0841f29cdb5533cd7a36d4f6f2a5e63f57aebc9c1a7f5703a865d0f1a1f87709e726b0cf3dc37953b0ed204db73d6881318941055e8624dab889

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
44f00c71cf8c8cce28bf0b2385c1e8d8

SHA1
50ce7c51e5344ccc3a4595f238edbc29bc68ed81

SHA256
10226d905ab05e187b96c3042642ef1d0271ce5bbfa74b9089875fd18c2aab7c

SHA512
a9ff6c61630cbbc4a43d59519ca8d4bb9993cf6356b60b1c29456c3b618d1afad37a3f64596977036fad76f7e7d87de48f18a09e31bb9ecacb175e9762281215

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
324KB

MD5
becd8e66c02ea19940abf9015e2088db

SHA1
e0e9b86a6a70d1b308e8f4b354bfa536e3bb637d

SHA256
0442afcd2b49b90aee2df568294630e688c1fdd17921dd97072caa344c903713

SHA512
62045e6044140d856cb114fc4316cbd2a10de69953df65a5aee43e8fdd92883f3102b15b4e824ed6e03eacb29d3a0439ff40a1776ef5836f93e6a1e04bbacebc

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
4b76e89453807a6dafc1b9f8ae3ded3c

SHA1
de363faf90c7c96af47c5c2887cee4cb8bd041ce

SHA256
c58271daaaeb8eb73c37f585532be29a8588dd1f570db7fd119d8093157b6e7d

SHA512
05a857af1a46d411f837cea194e15489b2f2950c30fc34432a1f7f400950a733bf7d04625d065d74fd3f91e7f1a89d8a854ac0221e6cca8a78f1e047425d6604

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
660B

MD5
705ace5df076489bde34bd8f44c09901

SHA1
b867f35786f09405c324b6bf692e479ffecdfa9c

SHA256
f05a09811f6377d1341e9b41c63aa7b84a5c246055c43b0be09723bf29480950

SHA512
1f490f09b7d21075e8cdf2fe16f232a98428bef5c487badf4891647053ffef02987517cd41dddbdc998bef9f2b0ddd33a3f3d2850b7b99ae7a4b3c115b0eeff7

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
3767f58edde1de4fbd627d8247143ec5

SHA1
98c60d089928dc9576c311cc7fd0ca3e68f52770

SHA256
f604e5072b4508fb534912703f7570745815a7c41132a8d1c05849c254d68606

SHA512
6a04219f0beb8e5d4854c94c1458c86dd701a14889ae38c25e2e9c7e1ebf8154c4aae3356bb3418269c2b75a5da72fc8aca6355869e9f7b7539236a532f6f65f

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
2KB

MD5
eb5f41d13da9a8b62c6aabf96f101925

SHA1
e286681f5ed7a52af00aca0c687331d026698442

SHA256
41171bb573e3b35d554817c8bb6d5a965db0c860756d25bd3bf4e2ad980ab209

SHA512
400abddaea0b1a9807cafcc5ae89add9ac327ccdaa976048357c1cbea069da38abbbaef2073c8f2f2850bda9a3dcfcb46b473fbb2f495523916d3589eebe4b8f

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
6KB

MD5
4b7160ffb7603c420b25267ad4f75507

SHA1
9b410154d40a17ff84de329f8d06612580c77693

SHA256
50ed9b88115de3a7cfc2113eb74e906b2a47601e1be4acbcd00e3f4ae631b246

SHA512
0e690a073c3d6b2dbe6442af4e61f9a3adbce96dedd8f9d1ba0bb00af97ec7a0692cbf533ded2690bc28d0123838161ac7fd93e5cccfac0c83324862212011d1

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
bef274d8b991dcedce331828ac674332

SHA1
5cb6f9301c6d0bf6b14149a356f7ba40373affc3

SHA256
ec6514a1b92096d9fc7a5a3c90e82dd37f802d8b0c9db72e6f0134bd15de1be5

SHA512
778e727093205b9655589f78727d9f0c9e490c70f68aabd911b28c62d3350333d3f06854033ae173980038385a028c8e742c8931da64f297a4de5924cf5c35a2

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
acfb32f2430f07b4f198d6472a53138b

SHA1
d6361dda2752c8e479cb896c8c8babf829556a8d

SHA256
1c071c251ab405302a9b48fdbdb1153e267eb0936f2517093fb610d381ce33eb

SHA512
3d0fa73b090a9ac47c89b4333c41173ba75637e2b61b6f286bf2110074df0e1d189da232223d3b15f3d002bd7b8a6045794cf72ad4829a68739f9650bc1dffae

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
c5221261c3880afb178eaa16d728f858

SHA1
9de2617ca9483645291e8929cde23087f5acc9fa

SHA256
50a6cd203c1beb44c1eb91dbbb7332c01afbad7948524c1dd6f0a318c01638b2

SHA512
95ec2abdf97beb834d5306eed661d2c4971acbe5600a56499bf133d7789584af839a47fe9cc5798774fcb95b9e6040bca75d5c521da9b00d270023e04e81ebfe

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt
Filesize
302B

MD5
03d1d641af2db76b7ff80502c3a59e75

SHA1
66316acf704f9743a8ba74453a2297b11c6e4174

SHA256
bf9d2967445648bba61b36c33316a43ccdbfaa33ef7c8bfb0661668e598126a9

SHA512
a6a7b0ff51b28c833e361951a3c1df13262e08935c8eea44b7a8362ea2a3f54953439cc359565fe6a51a93b7f03c166ce998611fc8427950645db6760ed4870c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
Filesize
27.6MB

MD5
34b0cc5bd6e8121e1c00066d322c4a19

SHA1
4364a7e6de0f5b2da6f3dcb7ed6aab233c663911

SHA256
9b945202491208ee773718e857130399f756a9285448862858685abaad09851c

SHA512
c3d52c0d51784a8b235c95e9e4cada7d7fc9c080f2896a378221dcdb0fa65ee217ec44da90d6c94139aaa19201e51ac66ebbeee7c0ebbc74f9f098525dea687f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
Filesize
27.6MB

MD5
34b0cc5bd6e8121e1c00066d322c4a19

SHA1
4364a7e6de0f5b2da6f3dcb7ed6aab233c663911

SHA256
9b945202491208ee773718e857130399f756a9285448862858685abaad09851c

SHA512
c3d52c0d51784a8b235c95e9e4cada7d7fc9c080f2896a378221dcdb0fa65ee217ec44da90d6c94139aaa19201e51ac66ebbeee7c0ebbc74f9f098525dea687f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe
Filesize
1.8MB

MD5
4462da39515d27bb327bc5493c79351e

SHA1
0ea0487c8ce376d3db3a67acc872798d0ab72735

SHA256
7ead2a33c3922b1f84b6d303b8fef5dc71a7f07d1abcd825bf8abf11d5a42201

SHA512
b42c38a13e85c036eecbae4a6029466de82195d5df62b700df65c7fbbc5c83ae23c0bdf27f87347276ca7eb8cbfdb0edab0fbe130b64e815e70f20e986bbb9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe
Filesize
1.8MB

MD5
4462da39515d27bb327bc5493c79351e

SHA1
0ea0487c8ce376d3db3a67acc872798d0ab72735

SHA256
7ead2a33c3922b1f84b6d303b8fef5dc71a7f07d1abcd825bf8abf11d5a42201

SHA512
b42c38a13e85c036eecbae4a6029466de82195d5df62b700df65c7fbbc5c83ae23c0bdf27f87347276ca7eb8cbfdb0edab0fbe130b64e815e70f20e986bbb9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4drmoqs.exe
Filesize
1.8MB

MD5
4462da39515d27bb327bc5493c79351e

SHA1
0ea0487c8ce376d3db3a67acc872798d0ab72735

SHA256
7ead2a33c3922b1f84b6d303b8fef5dc71a7f07d1abcd825bf8abf11d5a42201

SHA512
b42c38a13e85c036eecbae4a6029466de82195d5df62b700df65c7fbbc5c83ae23c0bdf27f87347276ca7eb8cbfdb0edab0fbe130b64e815e70f20e986bbb9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3MD7E.tmp\CheatEngine75.tmp
Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3MD7E.tmp\CheatEngine75.tmp
Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\CheatEngine75.exe
Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\CheatEngine75.exe
Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\RAV_Cross.png
Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\WebAdvisor.png
Filesize
33KB

MD5
96d5298c84ee73bf6cfd33b80c35c871

SHA1
4302ce4a75ce4117bc67b47d0502f417734b136d

SHA256
14d83a537e04b1f9db0727fafc98cc949b0270cea9af6659c05845605a09372d

SHA512
206bf3d9dc0f0db08559d4fbaa407eda0db0c88180fbc3bd76a798862626143f13311be1573f0a47c5b16a35d94fe98ca08800c102afe7e1025b0e973abd9156

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\logo.png
Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0.zip
Filesize
541KB

MD5
d6be5546bbce27020b742c5966838158

SHA1
7e9e355995b2a379f2e9d39b7028bc1ad27ca8ba

SHA256
49082ef6e5b8ceac180171309611eac88dac603684cde04e3725945a6722bce2

SHA512
c6c24da7f2d1ee3bc29e37bbb80ba68bb963f3d16a20eead4cb77e9c370a1cbb92a23073335dc4f1cfa21dc175419343045de6b4456165a256bf62466eeabd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod0_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod1.exe
Filesize
44KB

MD5
4db91483c9cd609d2fc2a69976b8dd39

SHA1
ffa4a4cb6d95c66a7424a7fb80a189ab6fd625f3

SHA256
fd32e4d0c39bbddaf3db331f5a13c2d93b4a8b7b851824aecdc63b27e9b0cd78

SHA512
c3ba19f3a91c330c87fc36b39e2c34b811cc17947b474cbefcd4d8dcecc0911bab83a96d9dcc7ed32504c71096859449b13aaeccd4b4f3674d9d2e9e107494a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod1.exe
Filesize
44KB

MD5
4db91483c9cd609d2fc2a69976b8dd39

SHA1
ffa4a4cb6d95c66a7424a7fb80a189ab6fd625f3

SHA256
fd32e4d0c39bbddaf3db331f5a13c2d93b4a8b7b851824aecdc63b27e9b0cd78

SHA512
c3ba19f3a91c330c87fc36b39e2c34b811cc17947b474cbefcd4d8dcecc0911bab83a96d9dcc7ed32504c71096859449b13aaeccd4b4f3674d9d2e9e107494a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\prod1.exe
Filesize
44KB

MD5
4db91483c9cd609d2fc2a69976b8dd39

SHA1
ffa4a4cb6d95c66a7424a7fb80a189ab6fd625f3

SHA256
fd32e4d0c39bbddaf3db331f5a13c2d93b4a8b7b851824aecdc63b27e9b0cd78

SHA512
c3ba19f3a91c330c87fc36b39e2c34b811cc17947b474cbefcd4d8dcecc0911bab83a96d9dcc7ed32504c71096859449b13aaeccd4b4f3674d9d2e9e107494a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APB2N.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H4KVE.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RVGKP.tmp\CheatEngine75.tmp
Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\ArchiveUtilityx64.dll
Filesize
150KB

MD5
faf320e37e54016151d6be0747c75220

SHA1
c6f622bf4d921d4a3941cca534e07a42387fadc8

SHA256
e4a074c28907c74bbe612a6440af8da5466a132080f4b8d9d4629e3ae8d845d1

SHA512
34cc3ccafa99b5fea8a71b06f55be5134e9a307ad4983dbbd8f9f976a31fa01258eb3e9c8fcabfb1990a7c709de105f72b4ae91f3ba1a6bb904dfd3aa22f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\ArchiveUtilityx64.dll
Filesize
150KB

MD5
faf320e37e54016151d6be0747c75220

SHA1
c6f622bf4d921d4a3941cca534e07a42387fadc8

SHA256
e4a074c28907c74bbe612a6440af8da5466a132080f4b8d9d4629e3ae8d845d1

SHA512
34cc3ccafa99b5fea8a71b06f55be5134e9a307ad4983dbbd8f9f976a31fa01258eb3e9c8fcabfb1990a7c709de105f72b4ae91f3ba1a6bb904dfd3aa22f34d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
341KB

MD5
a1f95ec0dd4c2f9454d6c2bd8c4deab9

SHA1
1c6762588c46a4b684f2ecd79c72af7ac1546e6b

SHA256
9bba7038b425741095a6e8900792802ce17c325bd3b08776e9027adc2911e3ca

SHA512
cc3d0e701b6af37031bf8c4947a331aa3d0c1f944ad35da7e1428ec4bb5d4bcdf40760da3dc86064556cf764a75973bdb23997306d31bb8a592d089136769566

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\RAVEndPointProtection-installer.exe
Filesize
531KB

MD5
bf2e914733bf001b448a314f31ef73eb

SHA1
046fa02e698cf85770488451bea7f41a24a76a54

SHA256
1d11b67ac273fe87ff7bb64bd907eb0031b1b2e5314bd7d0be9abd2ab20b69a0

SHA512
1d5a04588193ba7a6a9e2732ae652a2731f3bcc87870d1cdb72ace5dcf4346af03d83742ecfb45695ae14c591289af6b56fe4ba0786b0b3edf999840780e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\RAVEndPointProtection-installer.exe
Filesize
531KB

MD5
bf2e914733bf001b448a314f31ef73eb

SHA1
046fa02e698cf85770488451bea7f41a24a76a54

SHA256
1d11b67ac273fe87ff7bb64bd907eb0031b1b2e5314bd7d0be9abd2ab20b69a0

SHA512
1d5a04588193ba7a6a9e2732ae652a2731f3bcc87870d1cdb72ace5dcf4346af03d83742ecfb45695ae14c591289af6b56fe4ba0786b0b3edf999840780e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\rsAtom.dll
Filesize
155KB

MD5
3a637d8b8f1a99b14420471e57b3ce34

SHA1
734a7876bfa0c9cbb0633707bd6fdd0691ca86da

SHA256
977934aefbdd50318cf0750cb7b49561a84c1935fcb48ba0867643cf0af64ef2

SHA512
4ec2b2ca07867a92dcc1dcfd11afdb5e6e1bd4058c3bf690c12fae2f10c7526eddf925d01e3034fdb6a0510bc484f1d2d054aefcceb2e6d0b31d5594161b5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\rsJSON.dll
Filesize
215KB

MD5
16320bb73438e5d277450d40dd828fba

SHA1
469c1245e3fca774431231345c99c1d2246e524e

SHA256
34121f4827ee00b334395f69d79a7472ec478197635a2f6a7f0c8f92d70075da

SHA512
fec02a25ad687efebcf3de37c572a6b277045e60c57c50173e2c0c0411eb7b70ceef0df89beca1c12f1ba6e16551c77a3239141a3a32c1712be739818508621d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\rsLogger.dll
Filesize
177KB

MD5
e8cd93cc3df25d39b19a660412c27ecf

SHA1
749dae830391e6d213200b9a84f82a08cfdd4a04

SHA256
15f9af3bcd444ea719b3b251c6029e4310c72cc876cbfeccd4061ce9f29bd7ec

SHA512
d2f0b55acfa0675d0e322c08e111d9d828015eeeab7003b0c94734e00534d5bbc0f2eafe6d46574776a60d8c768419219b8eea680f7b19d1453f6d7f2525d12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\rsStubLib.dll
Filesize
241KB

MD5
4c28c10943a260098f311182fe870c68

SHA1
5cfce66a91ab121c9c08045a8d32e0c0b99941f6

SHA256
0692758d02737fef97a03c11bfee4b4d33755829eb8932f3911f2232f4b9e5d1

SHA512
7778d9c58762484095ac8edc85b17ca94d5a082b31a5f82660e6d7ca4fb01e70d579475d7d1b282c61aa73275caf73ff0767d4ecbae015ccc859cf23599e25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\5952e446\7c121801_c3c3d901\rsAtom.DLL
Filesize
157KB

MD5
0d81c611d4e9ca94f8179d4ae62e754a

SHA1
b8f752e9c18401a1215c47457d7940d1926345a4

SHA256
a5ff8148f56d9b080d51764c04a7bcd8302442046ce9dd8e11a4430466650035

SHA512
771e94b4b822c734948e454ff2dfb96bd59a0fa9078aef8347039657b53b2d9e1ee60ac8615aac4dfaeda3071f823823d020c48171e16dd4dd4e98dace37c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\855a938f\90fd2301_c3c3d901\rsLogger.DLL
Filesize
178KB

MD5
779a9c208cfbad5863b16b723f663511

SHA1
f26c95e9e4919fdd65d94dffd3064ae68a59b22e

SHA256
8bfa3fe9d9f406e6b2f3edfd49283e2a24f55986bf09ea32ed88854fc1f193e6

SHA512
d56d8e2a622bef9eb097623059eadd6d80653bc0ef4354ef60122a9b22b19688c4cedbabd63b3f5f55b5d4699b4aeae8ba893725130e3a98bfe022ce84d39b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\e4021565\8f9d2101_c3c3d901\rsJSON.DLL
Filesize
216KB

MD5
cb4990912512e02c5dfefff94902d04f

SHA1
4c8702f1edfd3d9339c60554b95be48e476a9159

SHA256
738affc5900c28e70f19b75359e1f75067f7035cc4380b331597a27e57481906

SHA512
841363362d052e601b86b642a562579a42fbcc5742ed7b6ce0b6d4d7c0d0ff7fd94dd61d3e27ba50235203c0a6bb70b80f2badf1ea31255f13f8387e523fb7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoDC58.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyDC47.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Windows\System32\drivers\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
memory/884-1271-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1428-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-628-0x00007FF7FD6D0000-0x00007FF7FD6E0000-memory.dmp

Filesize
64KB

Download
memory/884-1585-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1570-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1574-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1523-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1562-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1476-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1479-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1494-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1503-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1513-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1518-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1557-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1507-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1472-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1465-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1181-0x00007FF7FD6D0000-0x00007FF7FD6E0000-memory.dmp

Filesize
64KB

Download
memory/884-1182-0x00007FF7FD6D0000-0x00007FF7FD6E0000-memory.dmp

Filesize
64KB

Download
memory/884-1185-0x00007FF7FD6D0000-0x00007FF7FD6E0000-memory.dmp

Filesize
64KB

Download
memory/884-1259-0x00007FF7FEB10000-0x00007FF7FEB20000-memory.dmp

Filesize
64KB

Download
memory/884-1434-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1186-0x00007FF7FD6D0000-0x00007FF7FD6E0000-memory.dmp

Filesize
64KB

Download
memory/884-1261-0x00007FF79A540000-0x00007FF79A550000-memory.dmp

Filesize
64KB

Download
memory/884-1297-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1333-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1354-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1435-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1396-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1381-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1373-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1331-0x00007FF7F48E0000-0x00007FF7F48F0000-memory.dmp

Filesize
64KB

Download
memory/884-1313-0x00007FF79A540000-0x00007FF79A550000-memory.dmp

Filesize
64KB

Download
memory/884-1241-0x00007FF7E7010000-0x00007FF7E7020000-memory.dmp

Filesize
64KB

Download
memory/884-1305-0x00007FF7B2D50000-0x00007FF7B2D60000-memory.dmp

Filesize
64KB

Download
memory/884-1298-0x00007FF7FEB10000-0x00007FF7FEB20000-memory.dmp

Filesize
64KB

Download
memory/1136-332-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/1136-335-0x0000012BA3930000-0x0000012BA3970000-memory.dmp

Filesize
256KB

Download
memory/1136-358-0x0000012BA3B70000-0x0000012BA3B9A000-memory.dmp

Filesize
168KB

Download
memory/1136-3721-0x0000012BA4120000-0x0000012BA4121000-memory.dmp

Filesize
4KB

Download
memory/1136-889-0x0000012B8B0A0000-0x0000012B8B0B0000-memory.dmp

Filesize
64KB

Download
memory/1136-3723-0x0000012BA4230000-0x0000012BA4268000-memory.dmp

Filesize
224KB

Download
memory/1136-337-0x0000012B8B230000-0x0000012B8B260000-memory.dmp

Filesize
192KB

Download
memory/1136-355-0x0000012B8B1D0000-0x0000012B8B1D1000-memory.dmp

Filesize
4KB

Download
memory/1136-3733-0x0000012BA41F0000-0x0000012BA41F1000-memory.dmp

Filesize
4KB

Download
memory/1136-3748-0x0000012BA42E0000-0x0000012BA430A000-memory.dmp

Filesize
168KB

Download
memory/1136-333-0x0000012B894C0000-0x0000012B89546000-memory.dmp

Filesize
536KB

Download
memory/1136-368-0x0000012BA3C00000-0x0000012BA3C58000-memory.dmp

Filesize
352KB

Download
memory/1136-3737-0x0000012BA4230000-0x0000012BA4260000-memory.dmp

Filesize
192KB

Download
memory/1136-405-0x0000012BA3C60000-0x0000012BA3D62000-memory.dmp

Filesize
1.0MB

Download
memory/1136-3756-0x0000012BA4240000-0x0000012BA4241000-memory.dmp

Filesize
4KB

Download
memory/1136-3757-0x0000012B8B0A0000-0x0000012B8B0B0000-memory.dmp

Filesize
64KB

Download
memory/1136-339-0x0000012B8B0A0000-0x0000012B8B0B0000-memory.dmp

Filesize
64KB

Download
memory/1136-3863-0x0000012B8B0A0000-0x0000012B8B0B0000-memory.dmp

Filesize
64KB

Download
memory/1136-342-0x0000012B8B210000-0x0000012B8B211000-memory.dmp

Filesize
4KB

Download
memory/1136-344-0x0000012BA3B30000-0x0000012BA3B68000-memory.dmp

Filesize
224KB

Download
memory/1136-359-0x0000012B8B1E0000-0x0000012B8B1E1000-memory.dmp

Filesize
4KB

Download
memory/1136-665-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/1136-3745-0x0000012BA4130000-0x0000012BA4131000-memory.dmp

Filesize
4KB

Download
memory/1812-167-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1812-181-0x0000000006480000-0x000000000648F000-memory.dmp

Filesize
60KB

Download
memory/1812-166-0x0000000006480000-0x000000000648F000-memory.dmp

Filesize
60KB

Download
memory/1812-139-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1812-165-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1812-345-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1812-180-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/1812-158-0x0000000006480000-0x000000000648F000-memory.dmp

Filesize
60KB

Download
memory/2128-3864-0x00000211A7880000-0x00000211A78AE000-memory.dmp

Filesize
184KB

Download
memory/2128-3877-0x00000211A7CC0000-0x00000211A7CD2000-memory.dmp

Filesize
72KB

Download
memory/2128-3878-0x00000211C1CF0000-0x00000211C1D2C000-memory.dmp

Filesize
240KB

Download
memory/2128-3862-0x00000211A7C40000-0x00000211A7C41000-memory.dmp

Filesize
4KB

Download
memory/2128-3861-0x00000211C1DC0000-0x00000211C1DD0000-memory.dmp

Filesize
64KB

Download
memory/2128-3860-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/2128-3859-0x00000211A7880000-0x00000211A78AE000-memory.dmp

Filesize
184KB

Download
memory/2128-3898-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/2280-407-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2280-281-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2280-397-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2280-1405-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4656-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4656-164-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4716-236-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4716-1878-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4716-383-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4936-380-0x000001C046700000-0x000001C046802000-memory.dmp

Filesize
1.0MB

Download
memory/4936-379-0x000001C02DD60000-0x000001C02DE08000-memory.dmp

Filesize
672KB

Download
memory/4936-231-0x000001C046B30000-0x000001C047058000-memory.dmp

Filesize
5.2MB

Download
memory/4936-356-0x000001C02DCB0000-0x000001C02DCC0000-memory.dmp

Filesize
64KB

Download
memory/4936-235-0x000001C02DCB0000-0x000001C02DCC0000-memory.dmp

Filesize
64KB

Download
memory/4936-232-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/4936-354-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/4936-229-0x000001C02C100000-0x000001C02C108000-memory.dmp

Filesize
32KB

Download
memory/5160-3905-0x0000026CCDF70000-0x0000026CCE0EC000-memory.dmp

Filesize
1.5MB

Download
memory/5160-3916-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/5160-3903-0x0000026CCD920000-0x0000026CCD930000-memory.dmp

Filesize
64KB

Download
memory/5160-3907-0x0000026CCD8C0000-0x0000026CCD8E2000-memory.dmp

Filesize
136KB

Download
memory/5160-3906-0x0000026CB5080000-0x0000026CB509A000-memory.dmp

Filesize
104KB

Download
memory/5160-3899-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/5160-3904-0x0000026CB5030000-0x0000026CB5031000-memory.dmp

Filesize
4KB

Download
memory/5160-3902-0x0000026CCDC00000-0x0000026CCDF66000-memory.dmp

Filesize
3.4MB

Download
memory/5160-3922-0x0000026CCD920000-0x0000026CCD930000-memory.dmp

Filesize
64KB

Download
memory/5992-3911-0x00007FF8997B0000-0x00007FF89A271000-memory.dmp

Filesize
10.8MB

Download
memory/5992-3915-0x000002208ACD0000-0x000002208AD24000-memory.dmp

Filesize
336KB

Download
memory/5992-3917-0x0000022089390000-0x0000022089391000-memory.dmp

Filesize
4KB

Download
memory/5992-3918-0x00000220893D0000-0x00000220893F6000-memory.dmp

Filesize
152KB

Download
memory/5992-3921-0x00000220893A0000-0x00000220893A1000-memory.dmp

Filesize
4KB

Download
memory/5992-3913-0x0000022089350000-0x0000022089351000-memory.dmp

Filesize
4KB

Download
memory/5992-3923-0x0000022088F50000-0x0000022088FA2000-memory.dmp

Filesize
328KB

Download
memory/5992-3912-0x00000220A3610000-0x00000220A3620000-memory.dmp

Filesize
64KB

Download
memory/5992-3933-0x00000220A3560000-0x00000220A3592000-memory.dmp

Filesize
200KB

Download
memory/5992-3934-0x00000220A3C40000-0x00000220A4258000-memory.dmp

Filesize
6.1MB

Download
memory/5992-3910-0x0000022088F50000-0x0000022088FA2000-memory.dmp

Filesize
328KB

Download
memory/5992-3971-0x00000220A4260000-0x00000220A4490000-memory.dmp

Filesize
2.2MB

Download
memory/5992-3972-0x00000220A35A0000-0x00000220A35A1000-memory.dmp

Filesize
4KB

Download