34278d6fd8874bc12cd7498ded79852c87219e7d5d9ca75facfa3deb98089f36

Resubmissions

21/02/2024, 18:45

240221-xeasyaea37 8

21/02/2024, 18:40

240221-xbnwdsdh48 8

Analysis

max time kernel
270s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortinet-7.0.0.0029-installer_jLa-0t1.exe
Size

1.7MB
MD5

9402ecd688bb22ae501ee75565e15b4d
SHA1

5671c2706b73f9a68c20a8b41702e9fd161ae240
SHA256

34278d6fd8874bc12cd7498ded79852c87219e7d5d9ca75facfa3deb98089f36
SHA512

f43256d5e52750269679f95311fb097c555f92c0e61779f29e2a2d4dbc55c91c8dbb8fad8ecf5c0643ce650b7e85053d065a1f5779b3a463868a2fa92e294ec0
SSDEEP

24576:C4nXubIQGyxbPV0db26WKas4/Xnna2AVFwCGRjICE2lfWW0qXgoW1zSB:Cqe3f6mson6fNCNltv

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002321f-91.dat	upx
behavioral2/memory/3316-99-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx
behavioral2/memory/5104-120-0x0000000000D10000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/5104-122-0x0000000000D10000-0x000000000121E000-memory.dmp	upx
behavioral2/memory/4844-115-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx
behavioral2/memory/3568-125-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx
behavioral2/files/0x000600000002321f-129.dat	upx
behavioral2/memory/988-134-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx
behavioral2/memory/3316-467-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx
behavioral2/memory/3568-473-0x00000000005F0000-0x0000000000AFE000-memory.dmp	upx

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	fortinet-7.0.0.0029-installer_jLa-0t1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\edgesecuresearchonboarding.js	installer.exe
File created	C:\Program Files\McAfee\Temp3318802780\browserplugin.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\settingsdb.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo_upsell.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\analyticscontextconfig.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\postupdatereboottimelookup.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\twitter.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ext-install-toast.js	installer.exe
File created	C:\Program Files\McAfee\Temp3318802780\jslang\wa-res-install-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\Temp3318802780\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\resource.dll	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\postinit.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3318802780\uihost.cab	Process not Found
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast-v.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sr-Latn-CS.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\datasets_catalog.json	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3318802780\jslang\wa-res-shared-es-ES.js	Process not Found
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\dkjson.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\common_utils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\aj_toasts\wa-aj-toast-checkbox.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\protectionscore.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\secure_search_toast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\downloadscan.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\blockpage.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\sha256.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_mosaic_api_v2.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3318802780\uninstaller.cab	Process not Found
File created	C:\Program Files\McAfee\Temp3318802780\jslang\wa-res-shared-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\clipboard.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\dailycounters.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\webadvisor_v2.mcafee.firefox.extension.json	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-risk.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\dailypingmetriccounter.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ch-store-overlay-ui.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browsernavigate.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\searchsuggestcounter.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\transport_ga.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Temp3318802780\jslang\wa-res-shared-nb-NO.js	Process not Found
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\wa-controller-nps-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\Temp3318802780\jslang\eula-sk-SK.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-de-DE.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\sha256.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\installedextensions.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp3318802780\jslang\eula-it-IT.txt	Process not Found

Executes dropped EXE 20 IoCs

pid	Process
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3924	saBSI.exe
3316	OperaSetup.exe
4844	OperaSetup.exe
5104	OperaSetup.exe
3568	OperaSetup.exe
988	OperaSetup.exe
2532	saBSI.exe
4488	installer.exe
5308	installer.exe
6644	ServiceHost.exe
2248	UIHost.exe
7228	ServiceHost.exe
7260	Assistant_107.0.5045.21_Setup.exe_sfx.exe
7848	assistant_installer.exe
7924	assistant_installer.exe
6716	ServiceHost.exe
6948	UIHost.exe
1120	ServiceHost.exe
5564	ServiceHost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5296	sc.exe
3172	sc.exe
5268	sc.exe
6516	sc.exe

Loads dropped DLL 45 IoCs

pid	Process
3316	OperaSetup.exe
4844	OperaSetup.exe
5104	OperaSetup.exe
3568	OperaSetup.exe
988	OperaSetup.exe
5504	regsvr32.exe
2036	regsvr32.exe
6556	regsvr32.exe
6644	ServiceHost.exe
6616	regsvr32.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
2248	UIHost.exe
2248	UIHost.exe
7228	ServiceHost.exe
7228	ServiceHost.exe
7228	ServiceHost.exe
7228	ServiceHost.exe
7228	ServiceHost.exe
7848	assistant_installer.exe
7848	assistant_installer.exe
7924	assistant_installer.exe
7924	assistant_installer.exe
6716	ServiceHost.exe
6716	ServiceHost.exe
6716	ServiceHost.exe
6716	ServiceHost.exe
6716	ServiceHost.exe
6716	ServiceHost.exe
6948	UIHost.exe
6716	ServiceHost.exe
6948	UIHost.exe
1120	ServiceHost.exe
1120	ServiceHost.exe
1120	ServiceHost.exe
1120	ServiceHost.exe
1120	ServiceHost.exe
5564	ServiceHost.exe
5564	ServiceHost.exe
5564	ServiceHost.exe
5564	ServiceHost.exe
5564	ServiceHost.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
552	3360	WerFault.exe	89
4696	3360	WerFault.exe	89

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	fortinet-7.0.0.0029-installer_jLa-0t1.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	ServiceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	ServiceHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
3924	saBSI.exe
2532	saBSI.exe
2532	saBSI.exe
3340	msedge.exe
3340	msedge.exe
4284	msedge.exe
4284	msedge.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
2248	UIHost.exe
6644	ServiceHost.exe
6644	ServiceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
6840	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	6840	taskmgr.exe
Token: SeSystemProfilePrivilege	6840	taskmgr.exe
Token: SeCreateGlobalPrivilege	6840	taskmgr.exe
Token: SeSecurityPrivilege	6840	taskmgr.exe
Token: SeTakeOwnershipPrivilege	6840	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe
6840	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3360	4360	fortinet-7.0.0.0029-installer_jLa-0t1.exe	89
PID 4360 wrote to memory of 3360	4360	fortinet-7.0.0.0029-installer_jLa-0t1.exe	89
PID 4360 wrote to memory of 3360	4360	fortinet-7.0.0.0029-installer_jLa-0t1.exe	89
PID 3360 wrote to memory of 3924	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	92
PID 3360 wrote to memory of 3924	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	92
PID 3360 wrote to memory of 3924	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	92
PID 3360 wrote to memory of 3316	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	93
PID 3360 wrote to memory of 3316	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	93
PID 3360 wrote to memory of 3316	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	93
PID 3316 wrote to memory of 4844	3316	OperaSetup.exe	94
PID 3316 wrote to memory of 4844	3316	OperaSetup.exe	94
PID 3316 wrote to memory of 4844	3316	OperaSetup.exe	94
PID 3316 wrote to memory of 5104	3316	OperaSetup.exe	95
PID 3316 wrote to memory of 5104	3316	OperaSetup.exe	95
PID 3316 wrote to memory of 5104	3316	OperaSetup.exe	95
PID 3316 wrote to memory of 3568	3316	OperaSetup.exe	96
PID 3316 wrote to memory of 3568	3316	OperaSetup.exe	96
PID 3316 wrote to memory of 3568	3316	OperaSetup.exe	96
PID 3568 wrote to memory of 988	3568	OperaSetup.exe	97
PID 3568 wrote to memory of 988	3568	OperaSetup.exe	97
PID 3568 wrote to memory of 988	3568	OperaSetup.exe	97
PID 3924 wrote to memory of 2532	3924	saBSI.exe	99
PID 3924 wrote to memory of 2532	3924	saBSI.exe	99
PID 3924 wrote to memory of 2532	3924	saBSI.exe	99
PID 3360 wrote to memory of 4284	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	100
PID 3360 wrote to memory of 4284	3360	fortinet-7.0.0.0029-installer_jLa-0t1.tmp	100
PID 4284 wrote to memory of 4004	4284	msedge.exe	101
PID 4284 wrote to memory of 4004	4284	msedge.exe	101
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103
PID 4284 wrote to memory of 4900	4284	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\fortinet-7.0.0.0029-installer_jLa-0t1.exe
"C:\Users\Admin\AppData\Local\Temp\fortinet-7.0.0.0029-installer_jLa-0t1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\is-RFSTM.tmp\fortinet-7.0.0.0029-installer_jLa-0t1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RFSTM.tmp\fortinet-7.0.0.0029-installer_jLa-0t1.tmp" /SL5="$30260,836075,831488,C:\Users\Admin\AppData\Local\Temp\fortinet-7.0.0.0029-installer_jLa-0t1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component0_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
      "C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=GB /no_self_update
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2532
    - - C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:4488
      - C:\Program Files\McAfee\Temp3318802780\installer.exe
        
        "C:\Program Files\McAfee\Temp3318802780\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:5308
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
        7⤵
        Launches sc.exe
        
        PID:5296
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
        7⤵
        Launches sc.exe
        
        PID:3172
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
        7⤵
        Launches sc.exe
        
        PID:5268
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe start "McAfee WebAdvisor"
        7⤵
        Launches sc.exe
        
        PID:6516
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        7⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        8⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:6616
- - C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_b
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe
      C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=98.0.4759.6 --initial-client-data=0x2d8,0x2dc,0x2e0,0x2b4,0x2e4,0x7281c398,0x7281c3a8,0x7281c3b4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=3316 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240221184558" --session-guid=0bd25331-8314-4459-9142-f1b2418dcde4 --server-tracking-blob=YmY4YjdjMzRkZDNmMTQwMDdiMjhlZDgxMjNmYjUyMzViZDZmZmVmMTVlNGUzYzg0ZDBkZmFmYjUzZTEyOGE3ODp7ImNvdW50cnkiOiJJTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPWFpcyZ1dG1fbWVkaXVtPWFwYiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY4MjQwNjc0OS41OTA1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3BlcmFfbmV3X2IiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJhaXMifSwidXVpZCI6Ijk4MjVlYmU2LTRhYTItNDRmOS1iYTM5LTRkMjNlNmE1MDVhNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=D804000000000000
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=98.0.4759.6 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2b4,0x2f0,0x7188c398,0x7188c3a8,0x7188c3b4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:988
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\Assistant_107.0.5045.21_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\Assistant_107.0.5045.21_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      PID:7260
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7848
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0xfa0ff4,0xfa1000,0xfa100c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gsf-fl.softonic.com/740/02d/f16d55821e6e472aacb4f28b66430e7394/FortiClientOnlineInstaller_7.0.0.0029.exe?Expires=1694537292&Signature=03b113a6193ec794cd5d824924b6b8d7d7555dbc&url=https://fortinet.en.softonic.com&Filename=FortiClientOnlineInstaller_7.0.0.0029.exe
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xcc,0x108,0x7ff8bde146f8,0x7ff8bde14708,0x7ff8bde14718
      4⤵
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
      4⤵
      PID:3300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:3372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
      4⤵
      PID:532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
      4⤵
      PID:3268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
      4⤵
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
      4⤵
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
      4⤵
      PID:5628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7844 /prefetch:1
      4⤵
      PID:6600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:1
      4⤵
      PID:6876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
      4⤵
      PID:7024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:1
      4⤵
      PID:6392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
      4⤵
      PID:6640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7924 /prefetch:8
      4⤵
      PID:980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7924 /prefetch:8
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
      4⤵
      PID:4184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
      4⤵
      PID:1012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
      4⤵
      PID:1404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
      4⤵
      PID:6360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
      4⤵
      PID:4420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
      4⤵
      PID:5556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,8020779448380302407,9473351270111410947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
      4⤵
      PID:6008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1592
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1592
    3⤵
    - Program crash
    PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3360 -ip 3360
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3360 -ip 3360
1⤵
PID:3412

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:6644
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:6200

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:7228

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6716
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6948

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1120

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6840

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7968

C:\Windows\System32\e9ysz9.exe
"C:\Windows\System32\e9ysz9.exe"
1⤵
PID:3636

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:5044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:6544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8bde146f8,0x7ff8bde14708,0x7ff8bde14718
  2⤵
  PID:4416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:6544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp3318802780\analyticsmanager.cab

Filesize
1.6MB

MD5
1f08fb486750295c77fe137f07062fa8

SHA1
cf72ef73e813eff006c01dab2ec5eb65106af9a7

SHA256
6473b68565947761067587131ba42a42937ab497a5584c44e43cb6f41e92dcc1

SHA512
8c3a449062d64506e7cea03e1b9b921d4fa10a10bb6a796c400056a601b256f97006bef95e65d26ab2fd0b38bb58af64583971864be9e01386e5d975dfe57c4b

Download Submit
C:\Program Files\McAfee\Temp3318802780\analyticstelemetry.cab

Filesize
58KB

MD5
f4f1873a7f68239272ecb3a92f1a128a

SHA1
288f5295325dc3986269b07f901aa186736bfa79

SHA256
3829fea320ad3c1aea101d47de31f93411114c2b4473fc75d11a809bdf1906c6

SHA512
4e195d038a83e8d7a0a52f9809c4ab2ece1f934220e0aaf143716bc35e8a8d682b101a42d218f00646a282bdf87cec73ef4211662ef56ca5caea691521fd8000

Download Submit
C:\Program Files\McAfee\Temp3318802780\browserhost.cab

Filesize
1.1MB

MD5
6868e53d9c20b9ae69edeb143c19aa12

SHA1
cb5822b785f06439840efeb6739d8467bbf38eb9

SHA256
e9388190e6e33fbb91b194041e2f1cb00bd9032e58e6a5861f33ba1ef96a3b44

SHA512
e256ffd4fd820579ca6e25255a5286d5d9cebbd49abd7a8099957e6be3774338e43f38f2a976894b0c10697f68a318f6bee7ee4b6caecb74da4959eb0a03c49a

Download Submit
C:\Program Files\McAfee\Temp3318802780\browserplugin.cab

Filesize
1.1MB

MD5
768b1b427501a2d4e53568ebf3507537

SHA1
6234946c680f4440f3b9f8f2383bd0947f51b734

SHA256
f973c36d24620cae603a21cc92f98fb00cf9a93bc25008879ef9d2b76dcc28fd

SHA512
fd57791af97186b31be491acc9b2dc46cc39efda3b9d58682d328320e98d23a2219adcdf334c61b4ecc203f9f6e69d2a29ed844efee74260cb64d147bb5e6cb3

Download Submit
C:\Program Files\McAfee\Temp3318802780\downloadscan.cab

Filesize
2.1MB

MD5
e941b3c71f00d0e451aa3dece2ca8895

SHA1
4a5a8d9d6749af33320e47969de3d82c6ed719a4

SHA256
85c41b33603d6bb16a8199b2aad183568d9c9ee1393000a703416d8dcf18683f

SHA512
358df0819562ca211a9dc7ee8da38f832a386219b80f2fcc50fe85dde7e81d05c93423fc343fed58928906efff6b53e01a4165e1a107ec90d418d9fa0f062dd3

Download Submit
C:\Program Files\McAfee\Temp3318802780\eventmanager.cab

Filesize
1.5MB

MD5
ee4b92656b6b15a8e7245c5326ee87a8

SHA1
9f31a7b345a43538cdf7f1487c5cc5b0b978e23d

SHA256
c81beefc5d16b0e14a6461aec22fd5987c763a7e863e0d0c4269e57a6f33c271

SHA512
eaf815aa74dfb0e63146a9a6d1e55c9a4fc61681e2ddbc99ac0de2d2ebb48453053aab27d12f7e37ed4e52ae5a90a1d9a379539d0eb46b238b02862c25678f41

Download Submit
C:\Program Files\McAfee\Temp3318802780\installer.exe

Filesize
2.4MB

MD5
9daf36d81b100292bfd1104a310756f6

SHA1
c2a21215b054212591ea5b094a268c612d3f6d3f

SHA256
f8b10a122ff9c932ca97f80e6bcf6f210b8d54599aed029d43a07017073d6bc4

SHA512
b068431bba264f0324cf42e88bc6d13027dec32012dc3a3b7f7e65cba2df196cf68b77e753d87d6d32fb7ae15df8f853e930bd21432fa52404272901a6688617

Download Submit
C:\Program Files\McAfee\Temp3318802780\l10n.cab

Filesize
273KB

MD5
53b2ba2438c18cc602b7601348beb129

SHA1
b95175800086f98062fe011d1435d152b449feed

SHA256
d3cf77bae0af34388d45005b24ac009daab7490b00c9d8b9907481167262eb27

SHA512
b19008619c29a4843f83807e2dd9b402bb3028967e788d2e05bcb52fb64f077c140980d2996ca54f53c1c31688c987974248fc41b45693b8f7909e93d1be3e36

Download Submit
C:\Program Files\McAfee\Temp3318802780\logicmodule.cab

Filesize
1.4MB

MD5
e9c327508f532d8339806b33e741795c

SHA1
38363ce0d6514a12fc489d2b01d5aead322cf25b

SHA256
7f6a32b2cb4e20d9458ce70d5a3c5354c0f434f84682593b5f9dc0f4ddc681f6

SHA512
0705e88bc6c0374273de0ee2a54125371c9b3702efed1ec19c5535dff50ea753f9db0ffaf10edc0cd240a4c207bfaf142c4ad2e65cefdfa02f997506d31be2e3

Download Submit
C:\Program Files\McAfee\Temp3318802780\logicscripts.cab

Filesize
57KB

MD5
d55a19592f1160fed1f7f7ddff36cf21

SHA1
e19a058fa52f3c8635517ce7646fad181a28c015

SHA256
4549a4c73c3ca3898ee8443e28795effd85cddc87d57ac38c5087c53c14f056c

SHA512
70758593cd42aa8be9874cf196e229bb2824e28ef748f9e704c550dae57417299db66fb4965fd2afaa59a6d12d0b9477873bf449c2f2ae1d6e413c95ef77abcb

Download Submit
C:\Program Files\McAfee\Temp3318802780\lookupmanager.cab

Filesize
970KB

MD5
bd6e10cc0f2590433b8457175355def1

SHA1
0a2cff3e11dc8d7204f4ddad42f8230ea0f528f8

SHA256
39a27008c2e6e0f0ae58bd415abfe2c4c74c45b8d0ca506d05786e3e9b3d27e4

SHA512
46b90c72e7401d29c4a321bb9e067cf6cc976d04f5ecba1d797ce538cc310ee389b9f298988d1de4ea4fa0c8834a45b9e1bcbb3881496b4d8e62fc2489cff656

Download Submit
C:\Program Files\McAfee\Temp3318802780\mfw-mwb.cab

Filesize
30KB

MD5
bfc0cadcba91d927561d76bcf8b151c6

SHA1
1fb6ae9629aebcdd54308f72dd8bc43da29dfa5a

SHA256
3c83f0a109a619d1a95633d3832140b4988b787fb78ed11a7ec47f680577deed

SHA512
704278c3b0381a7080ef1cdb8641592a4b2715039388f582121750391989b625790dd307508f1b1e01b04cc11950350aa7b285a980455755b968e547a4d774dc

Download Submit
C:\Program Files\McAfee\Temp3318802780\mfw-nps.cab

Filesize
33KB

MD5
754ec5710b8d2b0d08c2d4e49aeadaec

SHA1
088f9c3baf8c91b3677435c517930b0e33b008ae

SHA256
9778ed9ea19854a4312579c2e595d16f6c5c5645e4e8b91debe7fb582cf78573

SHA512
38db5777d535003cccaef7bebc2a87837a097b4eb725458e0f8b70fbd8854811981af66365bcb5bc3afa1f1f305af365b49926540d167c5001fcc4192e3bbba0

Download Submit
C:\Program Files\McAfee\Temp3318802780\mfw-webadvisor.cab

Filesize
915KB

MD5
4d56a925b39d2aa9bbc2a415be2e1235

SHA1
9fb6ddd87d9586995099fb0c1423553d409e1ad0

SHA256
aaf18dbdef0d5362d2f2789b0dce5e1e91d0fd1fd4d8fef6f88acaf38ecbdf4b

SHA512
d9f670b661cd83988f8092f638fd76474288a7a0ca27d819046e99d9db042e9bfe323676e485c29b3f4a2970a2f7f6aa2a84171997380e3325266373a6c6dbcd

Download Submit
C:\Program Files\McAfee\Temp3318802780\mfw.cab

Filesize
310KB

MD5
a64bb575ff72e6c81d3358d07325fe46

SHA1
03d49603bbb7a5b3d4b96453d20845f794bdb1b0

SHA256
bc48b292f67082e8515149ba81d3064359c09f5c646a7ee8e113940a6b812afd

SHA512
acf2a01d119e518a0de8dd419dd32e270b92a0c89d90428eaf6899d18959a1ea58891ff7ad95ccba14248b0d6a07d6e6f8d25ef7bd5889eb2e19eb0700267cf6

Download Submit
C:\Program Files\McAfee\Temp3318802780\resourcedll.cab

Filesize
50KB

MD5
d452e574c6113a01b3a45d836a15a3b6

SHA1
ec6e41d57bd803347410fa5861e7521dbeec0a87

SHA256
e3e6908b669ab0503133ef8cca2834782dd174be9de67b7c01bff10f953c4855

SHA512
2775ccfa8bb146a1b27d57f330923b8a80fb932a7fc1b3fdcd9747d45fe84fab48cacf593cdb16e33500680c891c8b04d9daa16a7d33ed40b00891be68e7a959

Download Submit
C:\Program Files\McAfee\Temp3318802780\servicehost.cab

Filesize
304KB

MD5
2c91564d2834024d02b0eecaa911d097

SHA1
d9fcc86142edb4c3e32886f82537675a89944dce

SHA256
dd65a1a4042505f4afc1d9a64d6e4bcceb707374137f519a7eb1ff8a96e91d53

SHA512
844ade18bee42800dae54d91dce34f126cc250a02b3e82d280ba5ec0d532b4d294b65ef000c520b8939ba932ebdaf818b2e5bf5c984bc933f048bd0935d77591

Download Submit
C:\Program Files\McAfee\Temp3318802780\settingmanager.cab

Filesize
759KB

MD5
d2c53c06e75e4f64e87eee17b7a43acc

SHA1
b9bd6c8a3e74092cc05d9bfb71d3e8ac24b7553e

SHA256
64ab8e2e8842c1b6f30c98d5ac68ca06d6985bffc214a8c2258fb767f0f657b5

SHA512
b1243e191681de9eca9cfb1a642bb8bcbe2c99df74cf75a5c413221e61fd1ea745dad32b93211b0ad301a091e0d5f1f9b45c624e69e945d877c47801389f54da

Download Submit
C:\Program Files\McAfee\Temp3318802780\taskmanager.cab

Filesize
1.2MB

MD5
272f5284d5b644e843c6c11b09ac1ae0

SHA1
4e74a4013fe005334133264d17c894a56349b9e1

SHA256
d1a6cdfa8153e965eeeee23fa2764b122712abaae5a676b4736dd3355b1ee750

SHA512
d52ce70d1644d0d828474a8c92c8682dda81690e238816ed965407137bd1fdd79ed772eaf82c94f727215306b75682618612e2c3e973ada3f0b6a072fbca3284

Download Submit
C:\Program Files\McAfee\Temp3318802780\telemetry.cab

Filesize
89KB

MD5
575ad9c9e0831d7689544eddd1e4ac98

SHA1
23fdfa59bd8c51627679d2f1414174bd176aa194

SHA256
f0c76b1d6316039ec00b406f0a825a6d9e515d92d455b3760b9cc63f21898ec3

SHA512
afa269d2ac0e1d6d89e5d18060060759ff1a714672aa355b48473abf90230913dc3eb640e301718c66258bb7c03a478e5aaf720eb9405893e44368ea4a02d808

Download Submit
C:\Program Files\McAfee\Temp3318802780\uihost.cab

Filesize
299KB

MD5
f717a02b778d4e685051dbacf55a8be4

SHA1
c14ec34eccd38c5a75a061f565b1bd4d6aeda595

SHA256
c7715d9954c86f3989ab11312db0a47368ec8fd6198381f9bb3e2d716d28d884

SHA512
01275b32bcafccc4313f73114387ad983f8689a4df63ce42bf31ba2f0ca5ebd3315cbbe93d23491b2d04e1546379112883b009ff9b4bac37e018dd01aa1240f7

Download Submit
C:\Program Files\McAfee\Temp3318802780\uimanager.cab

Filesize
1.6MB

MD5
cbe890d482ee3cd388426b4eb8dba4a5

SHA1
174f2b42905769feb8c309b3c3ae14cb9a9c19b8

SHA256
407afe9d14f1a32bc9b97f5e1e46da28c0ecb624fe1ed061c702660310794ea0

SHA512
ad5da91804dfb011aa7b38fcb460a380805937563308fa440fc659f2a587148a0cf9e641d378b98e0c887c797f71156751d03bd28ce93f254a1aad25ec8d3671

Download Submit
C:\Program Files\McAfee\Temp3318802780\uninstaller.cab

Filesize
192KB

MD5
56fbc7f44d5c8022b964660e4997f54f

SHA1
d4453fe0e042ab5cc042129fd3c60f71e6eb234b

SHA256
caf536f7c78b03a1bafce191c77d0471fdc19a0c9c013b6e707c76265175f26b

SHA512
c26904490e20793c540e05f00241ac72ec139e9351b59cf34b8c256185c6ee370d0ff4e06b193d6f7f32beb24f23750fd6520983db8e62be27c63ecfe5abeccd

Download Submit
C:\Program Files\McAfee\Temp3318802780\updater.cab

Filesize
859KB

MD5
8e1f6734dab477d2b463edde808bbe1d

SHA1
9e1b7e5efe5b9390297a991c21d0daa2b0a97a13

SHA256
7460fa97eecc122064a0f5b5a7e01e6d8109032b62c46fad1e064ddb92d86d0c

SHA512
e9e19870a14990c452b7369fbeb56cfd74c82ab979f26b6e505c7f748c38ce8d1423201bcd39c677c21ed36573dbdf2b94b45fcb459870b24eaa9aa3c1dd1f6b

Download Submit
C:\Program Files\McAfee\Temp3318802780\wataskmanager.cab

Filesize
2.4MB

MD5
7a576ac9378e10173244b1ed9dd08012

SHA1
85be74f75923949c08c9f7fa9cc4be20b0bc4231

SHA256
183cf21ab8407092ca5c6a520519b89698a129735898c9d05027158137753465

SHA512
4138922c0b416f30088dd76634dd6c5bd771dad0aa702a77b887372ec349228083e813a1899ebe61ac514ba01de4d6b8e485063d004d1ec061fa9cc6fa05c480

Download Submit
C:\Program Files\McAfee\Temp3318802780\webadvisor.cab

Filesize
22KB

MD5
c9ffb55425fe109c6b3a6af2311fa6d7

SHA1
e14f14534a589a6a56a73f61a80b3d7346f1bbc5

SHA256
eff6add8271a4051979fd858d19b696e95bf8081f075c1f4b710f484f7b79634

SHA512
27c58deeb4acc4aac394d269517089c2778c2fb78fd71895b3b9d259fbf421a00c2f3c6073a7c55bd8bf60b08482d0f30722d593d79e61f714747cffee4842f4

Download Submit
C:\Program Files\McAfee\Temp3318802780\wssdep.cab

Filesize
586KB

MD5
f49089c1a928792125a30c050753d3f3

SHA1
c82bbd114692f938a75c6c5a6707992a01272792

SHA256
099630a529fe6632953d7ca7578e8de6a7edf011872fbe96e5c8c82e3b88a2ad

SHA512
f11b80f7c1e3bdeedb69b0767a9ce7940b256aac2a7e84e351385bf856358e4eed57711da628619edd32ed74da0f5f68c090cc8985c6c6e8f50bc8ce42bbc34b

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
72KB

MD5
eb105c0885ee2e4b9e2734f6f7284019

SHA1
327479f7820d19e6c236dc11f8707efd0d6bf6e2

SHA256
350bf925609830e683e5007dbe8feb4000a0c32a2b991798dc6b84608a2a8e89

SHA512
7e6805c2aabb1b1b8768eaf2c816dadbe78878249ea66eb89dd595fd9119ed0f8926213aa51028337fd1674aee532de301877458b5c7d9c0a2271c32a48ac611

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
2KB

MD5
97b07d2eacb3bdf739b5d35d513ebd5a

SHA1
35e2a3a1a63ebcc4be2d16b23d3000142bf6a316

SHA256
3ae7867a2d417527615962b5aaaeed48499c48d78a4019b904c1c0e47e395b7c

SHA512
e16a013e883ca5e34d1621b4ea4f8ec9b0779d6a25f4ba91ec587137c1ce24ac17a87cc947cacc058104afa8f4a84efa9cca14b2f466a1873979eeb023d00905

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
6KB

MD5
82b9acd44ce68dd069354b019f65b795

SHA1
d6027e0d2951728b143aa1ded164f0d6920f8c1e

SHA256
7af61e6538d7367aa7ef178043a758e8ac9b13802d9d6340602868e79f51ee90

SHA512
6228dd1a65f2b7b0c63307fe41c600a41d43720e67b267aa0e8d445bfb769a8256842685b4235e8ff65a2307ba32e84c38c55fe5f86eeb3d6ffbbac4b2196390

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1017B

MD5
865feafb9667a4da79cfd2ff0ae461a6

SHA1
28e34184c970c7b0fa2828789eefbf65d65db6b4

SHA256
cdbcecc78f466835b764d07c9048da3209028adb4a2bf1a99f1679d231a04800

SHA512
20d54c468f41e559255f4c92680db42c49848378ab62e5787f5bda6111367b5ffe817aa2352cf5628a86accdad9735a2b2560e902f69b3f0bfa0e3d96efa2aeb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
75af24217900b7827e0dcd7db3db313b

SHA1
d74e4a9086c1c83889d97ea311d30e7b528453fe

SHA256
b0207db55bd3d083089e62b00f197a0e72f68c96c5b14dc639a0e2a29a34a47f

SHA512
5daab5daee4aa5c31aee3df101ca2abf4df692d5a6528b54c06cf8b7c675ba639fd33a8312089dc3e2950bbe652720a4d6a4f7ec348a19688fe6019e968f4060

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
7ebfce32813e6e5d410a016d8b23ff3a

SHA1
011b98822c5b0f9bbd385e5b2d2d0f5aa48e02b4

SHA256
e517ed812cf484d9290901d0813ef4575649b17906c052f9c8ea2b2710538703

SHA512
247048e873856194eb3aa429d1a6ca9ba39d984972d1d8eed8da4c0d2443fb967cb941aac14046d59f378a3ec4866d13b561ce81fa6bd540b13d977bd755518d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
cdab950032a09989ae6e19defe0ff869

SHA1
0d50008c1fcfd45be105e681112b5a924984cb02

SHA256
09145f9bd8f45e8e0d756332e4e8a0eb12a09fcdb61e9e6a446c4c1c7ee9cbf5

SHA512
93d123017ebc1dc7b02e0e9131702964057e6666d544ab3feadac099af038fe1c07197900f0808268605ff5fb5453859c809014bac593597e1f7907d62009976

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
05f7b4c6de5e92fe4ed621d26f9e3c66

SHA1
1f8aa7d3a463a5dc08cf7b92651fba99c1a65fd3

SHA256
d1b18aa75cd580be248b03b7de164fd0f33de6d962805844f8099090701e1f71

SHA512
34cf0f491dc3d008cbe64add58dfc3c4b5791b72dd9d375103ed3295ba3dc01d3831a9cbc51ca8b66f26dbb2787a3b670a3e4f16d50fc0dd03b605529d1f5e67

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
4c5931f6580b0935973545c746539688

SHA1
227205741eac311e799e7cfada4842fd2cb21a6e

SHA256
6c474e8c9abbc7a77cadb03cfbd9c9291a10fb2df8be771f9b6b60e53d6e26bb

SHA512
7b54084b980f982c31180d2af27ba5bcdc03a14cf3f7c4acd5a35de1426c59fc3c230b0189e00ae8f7c02a09c416f89e31878021a5b4c0550ed6b2dd251064f0

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
8ac57c4befcdafbcb112c8771acebdb7

SHA1
97893d2953095d51eddcde81163d1ed72579aaa9

SHA256
72474f4579c5861dc86d1c7b18cdf30590166c282f0e4f9c1c5b5458f0d9b174

SHA512
754a177daceecb5779ebaa50cd4e3150ad20432d4377ca33919d45f9a0bd3b86a99ec7b58931b9d2f246bf0538bd52bf7dd25da736c151983360db213a22998e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
a894a30731508976e357aeaa4f3ea648

SHA1
3583963749d6d965757509b24f616e2454a1257e

SHA256
821a77f2b804f7fe3e5f1a89b00a1fd3bcb865b9250e5302e29c51e2f8a45f5d

SHA512
ccc3213c3d517fb597847bb559365e4f9f8748aaa63235adb7fba9b7a69f640435139c0bcbaa1623004b2ca58af8c44e67d3c37cdfd53957f1f2e1c3eaffee66

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
1779cebb8bc6666394100db0987d6e8c

SHA1
c2faa34f35c055f2b1e323653b337630603b6caf

SHA256
e4babf538bcf53d60db33452bab9da0b5a87911ef7c138ef5824966e9e078612

SHA512
41c5bee3ed19cf0df9ebf7288a6c2ed950887f39a3d8b64f3458e4b65203ba7243ab3bb8a692d3159a3031f5b1ff634d8373a7f561d38be46b362eb259160042

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
f1b76943c7f648cbe6ef0a55550125bb

SHA1
34b3baf2b52ba187767b244d411328684728df9d

SHA256
d96e16e2ed419dfa5d225a7a83122f0bed866622355340ea389b06dc5ccfd4bb

SHA512
b83496226269706de22be7bd70081a704fc7e19e40f19979687154185aaa8493f3ef09abea9276670747fe5404085f431feed46ac019c259184353269d260c15

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
65a5e91e9fd0784b000c81b75f6a1e88

SHA1
b58b1a6f968444fef7dee0b226b24a280ac5908d

SHA256
1b7b29188a9891cb3636cfe36cb2e365003b4e7faaf235106b935da8613c64ce

SHA512
0635e85e1b5edac2d1f3bae7e678c998718be6edf56522ee2aa537cf629f6ad540226894a8788deb364401a0fcc6507f21ce2a03ad5fb306785b6b140942b406

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

Filesize
302B

MD5
f91e877d0cd2f765ac63a6c65f7b0bf4

SHA1
ae6de1243a1b42ccdbff532745cb19b0509048aa

SHA256
a8144ce26ea71a2bcd9e11c7fc5dfe03dd6f5f35013671d8232ec2d47208946c

SHA512
1ee2a1d7ee9ccb10bc232b1d44a2292ef3f45e7f8b3e7da362dffec2cce0aab21be233409ed1f41888cc1a5bc2bde8fd851839505c341b583b958275cfe3e356

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

Filesize
1.8MB

MD5
b7d4399f019341da41564125840244ca

SHA1
63e50503024bcc53bf06b5c860b4eeace90417c7

SHA256
68e4e894ba334e22c8a3e737a61fb8fa1094fc910e2b01e63f70e89efb915a0d

SHA512
99e2b5742362934ca7ef81235a44e2db2c0ffe7495e697bf3ad85c579bf395b3aea71b0bdbb584003988fa8aced2313e5a0b56bac5f9a864b866fef8cb21ce0b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

Filesize
128KB

MD5
e4a9e6a97769f5c0e2dd142270002798

SHA1
59b5bedf5ac6677de31368897bc2dac1e067c6f1

SHA256
70c5d6aecd72d37968aedb4a2d67368cc205e8e9a6a2935308547212c00b8601

SHA512
602e8b93c39fc0e0a913853f1438a42b52ea29bd4ac6826f15fa49c21dcd0fab92ca8a7ea572b75007def7361ccf6d4ea5d58039cc75a30848d27a7b59022c3a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
771b9ee84d963db7e83c8dd464214522

SHA1
c4628c21b98afe929fd13964991f6c51bb8d4158

SHA256
b0474a2fbf459c08f8c059a488c62b0cc5a9033a1619ade45f491fc3b3891d20

SHA512
31da0a04df4dfb03db63597bf89c45a4f23276b5a88e359094456f04bc7db39952c756be362e79941524056b84e59184589ef3e41619fe55514ddfeee4406c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
263ebe60f35ebdd89180c5da75d02642

SHA1
56f3df338ffbb232192d043bb7b7f1838a9edd34

SHA256
896bd2a3db27a247995a09492f4079935968b25f0ee42eb86ae520c6b03c9d01

SHA512
efea298097f263ca77233cf888781596be771eafc1b266f759a2d4a8ae187f0d35d9fca8bc2895edb31bfa9c08bbc6b3025e481df44b9f4c5a47a85cd95016e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
41d57eb0daee570abb7bbc8583f7baec

SHA1
e2f1d3c13990f8deafa1eb726e710d5a16be8120

SHA256
83992363583978ee43c2b1c637cd0c87cb89a8f3041368017b13ed0339b63d98

SHA512
0ff2de0fc614db5631ecf31bfe25afaca0bf5b3f1715db0a709c8d606ba85349806c9798841751cf8ff3a25cb2d716451546c30938d63f7b08695e9c58687056

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
c8faf9cacd98b908f64248155a87779a

SHA1
3881ccd93cba0c555868f64e6bdf0a2f6c567719

SHA256
8574aa81fd5e308384c45c8da0eefb5ebd9f92c9852977a2a60f6f8e0ad253a8

SHA512
1a97af90f627bc2901e425035fc567904ca178aee9f6949122edfc9d47ccb1e262747c5fcf1f13ae346eee03924a54bac5ceeae8846d5e059c9a0a58d3a7cf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d83b1f4-f980-4d82-ac50-9151393c2a81.tmp

Filesize
3KB

MD5
fb3adf7fd995937c14492d577e709f3e

SHA1
8b585779b4e6a2691e4c0a0dd51a3cfbb34c81d8

SHA256
639a357d09a4f28dcd1e9b17f1134fa55906ca4bd1b09e54caecdbd4d9e8c356

SHA512
2476c30634b7615af6b9dbcdf6b7031dece2b18b1023b6dc91add8be3ead126ea44cee6425abbe76a5b771d9f893845642cc00d0adbb1d51ed42f4b545343e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
e450b6fe9d66bdb7ee0c04b801d89e7a

SHA1
f14189360cb60732631677129794825742baa7e2

SHA256
1b40cfe4a38eef28a9a6b372fbe819b5dad9b603a57503590b635fca48b498b6

SHA512
11316933a141dbb80fc76ce34e6c7ce452caac84fbf5f9f1ad3804f5115602390d0018cf92c05760c31a445d695acd8592675241355d899a846796fa741f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
f5e05b76185ad4bbcdb336df9918f78c

SHA1
9455f0a0b811cc36ccc52a3fe1622e105ae9d423

SHA256
0e2afb39e74456d03c0abbe2c67b0e5d78b727e9b5e5d3e3bfb5084e4d1e91bc

SHA512
b91bb369183e164ec46c335213ecc5a71c9b90b6b5be9936fa5e5abbe54d88c861e098e330bc504d2f6e66470992fba94373f7c3b7e7e7f2fdd23f2d274e89eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
67acbcfa5a8b389f12070f40bd788f57

SHA1
0b9ee2fc1308ee24e0bf14989e4d9b57e3668e6f

SHA256
1747344e594d6845e143a9abc3fce05ab0665ca1e36449155d98e7dc8c38304d

SHA512
1e5945e6cc6ef73508bfd51a5b2edb6d67f4283e0a2f46e6bbbcfd44dbf8d0d8d8b02a7a6809f5cdfd99472ae5a79800a92a0f3a119cc24245fbad3c14a2477e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
6039e9328b49a53cf6d6f4a5f7d8fb64

SHA1
a607814a1f6a0bd1b8f23bb978277ca4894444d4

SHA256
85c04f5dc22643e8f8decd00b6d4d2301c5da1bc59de7758f5da5a5f49de2039

SHA512
ecdcd90ee828951bc00c0246a0f6a3845ee2b3e998c481f38a9900eaa92e4e4151306959bd8e93877c7001df5bc42280d2ffb257db88131627464d17d56f6984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
337f5f0c3cc9e8854e20857499beb5ce

SHA1
c8e76a3af625e4168e57a1f378bb001f24452f5d

SHA256
6db430798bce61129d3ecb69c5182f5ebf4f2a47c8526e8bfca8ea4c7203ede3

SHA512
44dcc329e289bb0e030ad07f9986db0d946f4268267ef9adea3600ad6ed8c3f201c4515908b1ed5175c9beee34c585f141e737086e72d15ccd14ba7a166f9d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b5ec7e97778689b5da61bc0e6db2dd1b

SHA1
f7a177b167f7043fab5d0a08560ff1e56e859636

SHA256
5a580be67a3e457d043ca35798c36bd370f37732da189004997f295c87b33337

SHA512
b7ea9fce226bd745e1939a028d5ba2e78a3f591b5df1a645675ee49176d1c54e974750aa8260e8f3d699277cf27a8c96a7e13054e12424cbf5994f9313dca2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
d9df313e8cbeacfc5b2209ab370e5763

SHA1
6ace2963adea83b261c0722cf282cbbcb51ee99f

SHA256
1b5cea6447adaf360412662eaa786cb47ec25cefa6c23938c16feccd026d30ff

SHA512
493a9cceac5a34cb11e9f057e013ea85a344c15f909a3a375946cf40b0ac8e65e78ca19f3cd256b0ccab5b1cfafb807788f792497612c074760cef54a59d8596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
53fbfd55219563e5cb2c8dbdc7c0e398

SHA1
33dbec756bc4fc507f31322965239ef53a1afe28

SHA256
0d847fa82e643e15dc5bc5d75ce9aaf6a73dcb696ad490c3c2c9e3f371e58556

SHA512
9692823c068ea552cd93bde4ce5de4f0e0846d2104095fe0a6f8afa3b3465a8389f75d123efde5350099b68f22c50f1f593438b1d44057507d790ed3d0aeafe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e1e9f87155a0d7984036e7012af3c1dc

SHA1
fc884ca04159374eadbb863c3c86b15b8fe41445

SHA256
f8e739796f3a38ff75962f4fc23efb0ec1418ce50edc7e98d230b85bce6bac7d

SHA512
f1d2d784ee1e62a54283e73fd457cb47788ef9075cb002560f2a61bbcf383e137fad24014964b8a8e1009b54267f8d50880f1acf7cac14fa62924866c301e3f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3096b969086bcec7828d58307de26e8e

SHA1
0520d3c4f925e36523998f563d7188489cabac71

SHA256
cbf7f582f099a7741742021aa8435abe97743bebef118d9a4224d4aca6b7c541

SHA512
152418e139622f326254202703d4da2974b5e92209f2543f577b95c9b2d7ee149eca60972622cf18bbff67bfff3fa1b3b6abb8ef796dc8e899392dd45c40e46a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8b8adca7bcadf48db57a8fcaad8b701f

SHA1
d1b76040405f47819d7c14fea663f088e3b34aec

SHA256
a23fb2e62b27185393df13d128da8c010400ece7aade81c733143dcd328e615f

SHA512
0ba503db095a9cbaed87eb4335b85923014b196d73e99655254196bbe1642786e04222d044460bcbeb6129bdef1292124dd924c20c919a5a54aeaabc1882ea26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5d06afdb798a7902364c7cc89514be93

SHA1
f6be817ddcbe2461cd28c5a304ec572b70cd2df3

SHA256
15edc63deb632721a280b315e0eb0ea8873550de3b6eb79e75587f2475436842

SHA512
b15ce6d8ddc68c7d76a5841190a2b263c73bc4efac40ebf4c04a197b9d78883d668f57c014407aa55992f3b91135c8d49d596d3e0f4a58894151fc7987cf6f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eafc.TMP

Filesize
1KB

MD5
35a583e29b87e7d82ccb4e17d871c706

SHA1
4a801714b424b86c1245753358dd3f0d7804405e

SHA256
d38d18ce105457b1dd8bd361bcff35b97f7a1650f2ff7725e7b089402141ed88

SHA512
8f77ab3b30c01c2fddba63915097cbaebcb7923310b5c12785dccee45dbc9e8bff57012cc5f67f85806d2b86072c27379743401cb0ade494d546c42dbdd413d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b14b35d0757c47f2379a7a74b97af04

SHA1
01d9d336b5f9b3e6546a5541c058356ab46f177e

SHA256
ea2f43e707fe9a169568acdad5787cb7664070ef542b3cc3f7266c65b94a6e67

SHA512
a89f3b65e8c05b428414f7d1291137a17b64aedce3a0d1200438d2129e0aaaf25a5474fba144eb38ca20008c6b3d8b24a0338903ef599ed6b42b554dac7794c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
542999d21fe30b43bd896e140a6aa627

SHA1
05f936ae8eafa96ade205c87be615262374551dc

SHA256
a37a94829a33ed992abee6f0f4734ba2becf294c27d676e4660ba435d7ab7b89

SHA512
27cf03234cc7e83a451c74b8ee632d9e7ce7ecd0b758204ef22ed8d3d6fcd71d39d7eede8e5ccf56fd59e6d874b7bb05b6aa7df312de6bb75f0d6afdf79f0dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8090ebe9a0b5480c310a6c83b2745b5f

SHA1
328ae2c9cd42125b837f20c4102003e62088f9a9

SHA256
d2f81726ee0937f9c3f2d39721d117d6fc9df420e3a34ee5801012c8ed73c320

SHA512
0c4c1c54d50873630fa5c74e93b0ff2722a701e42ac776f726e27d5edd0e98b9edf97c0aac3d74a0be909161d70d70a91b17be058f6db7eb68f83d323819560e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\additional_file0.tmp

Filesize
2.5MB

MD5
c6beccc9e56ec0691635d94aa596861a

SHA1
15be27128c31b99e64e0897d5b39069ab482128f

SHA256
db4fa8e1e500ac2a83dda54216b39e4a93b8cad393ba60868615243ab70ef8f4

SHA512
b266697c648a5816c36bf49fe799473d0ce5445fc4bf4511ef62334cf29e97194ac708283273268d49d19b5135bc28af9fb966bc58e6d504ea2ddef3d921898a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402211845581\opera_package

Filesize
11.9MB

MD5
2dcfe8973b44ec26102366b7bd835a56

SHA1
5d317da214884aae13c7aa012aa0fe15528b9941

SHA256
ec49afab155bf5c04c3cd006d4ddab6881dc1df0fdf8d2c8198540aac5ba954e

SHA512
01ee5b68d3ade8c0b1e3d8c57b194c03204418d796db34e4afc10f01f91bdc27da078ea8d4fcbcebec989c6188ed8b14aa6c66c36c84dc8faacfbcf80345bfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211845579253316.dll

Filesize
3.9MB

MD5
09ef156b91e15ff1ea5bd04ddaf36c15

SHA1
41af3678bb3cfdcb45bbb1bfa9bc01f57331f886

SHA256
6510270425e8ba2f8c6a173730e319ecca7aa5037ef1df59c9e24d3214146e69

SHA512
e587641dfa2b4483460a68b491ad94bb1ba7e2c4f5084d9cd16e8ebb20791e2296bca4e8d4138fe45c643090dea8ba993bc609a6e3520bec67d95abac0c80de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211845580814844.dll

Filesize
4.4MB

MD5
43a273845a4101133ae610099c152ea3

SHA1
32d1123c170320b230d4fdafde0c7bc8c88a4a1e

SHA256
0ad97ae9e060805113be5acf996454c87a243c0bc2a59a2412e0073835588c6b

SHA512
cb38c289023f8d266f16974ac5062df846d41ffa14d40f84fb9d74bfdfe19471badea2424987a2e8b59bdc7de4b242d790a4993cd726c5520280e0d8d96098fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211845582065104.dll

Filesize
2.5MB

MD5
8aff75aaef5c09e0dfb5923bebd7cb0d

SHA1
358339718d2557b0f8871b48295ae9f41cbd41d0

SHA256
ef3a73ae862967014889dfaccce1926897e965a0d0855e0a863dbefe1440c787

SHA512
c7581d2540124646e5bf010f76ccd7af45233b2cc4ae24520850669254b0febb34c8f219aa8715c364c826675628b91e459de6650e4e1feef08cc47cd91a268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211845582065104.dll

Filesize
2.9MB

MD5
c8d3b65dc3248b9f218f2ca7ba595222

SHA1
1765b2e8e11bcbeada56177896724a2b36faa908

SHA256
ec43a28a8928be3379ccf1bbb1c4ccb2850d75ac0ab254453bcf3211102c2b43

SHA512
8413f45d5404684b6809a014c0e8b7530cf43e85ee1284e77db22b9d0a4170f607d02f74bdcefd3c4ba82428fb24a7e02a859d84b88c336b5b1c77172db511a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402211845584093568.dll

Filesize
3.0MB

MD5
805ee293f7d436c6baf40b77c62da4c3

SHA1
e61f0a8744930f7038de0555317387afff3457e1

SHA256
b6bd0ef031f8545568e4b8601e10637093399690f0c0741fba7814112f6f3d6c

SHA512
3f0145d73320e47772ca6d397e11ff2dd5e02cac9d6d340c960e28c23dcf6e517fa500e55874917b7233fb151d977b63422bb2c7b589ffba8258c63ac8be21d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_240221184558628988.dll

Filesize
3.3MB

MD5
260d85b633e4c31c22fcce1b9e973372

SHA1
edaaef81283d22855472fd8a6e5b4a4369151937

SHA256
63501483f1048c098b2fead14bb74c1b900f5a86fea35622a0dd7c8c824693a6

SHA512
c9366eb2bdb913090bb6a960904aecfc2ffa5d5379420e2ac45b9a7d70457b61c9692c53d961417d00564e5e7fd122026e4098e4af30a1e563b3878c2892f9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RFSTM.tmp\fortinet-7.0.0.0029-installer_jLa-0t1.tmp

Filesize
3.1MB

MD5
c8c4d20b0a603fd1e0a2ea304fa05721

SHA1
608cd0a7e122682c6f0a0622accc2a6cc23b6c4d

SHA256
c1e0bf25484a1dacced5e782f6fa50c4994fbfd026f3a901ae93601eeaca921c

SHA512
e0f6226d280c221da8b5902629b9e29ec09dd1c311eba28ad739b3eee44f57608a3d276ca5740a7687106ea905ee12d40fd0983be8bc20daa8ff45d0834d766d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\Opera_new.png

Filesize
38KB

MD5
d9ee988b72b14e305f2b8891b1952cde

SHA1
fe73c83b75b11b6eec464cd68df6748ad446ff47

SHA256
2fe0e0d53b94b1dfecb7a9a1990479d55371c49d8387e9037a48460c4b2d76fe

SHA512
9f31c3470a598350296879d6a7d8ccff96d64b59dafb00e53b8ae90f78b341bf7cbde1a4d0fe836e6013048910ee9aa54baece3b6d754c5c0c1e0cd52ccf6eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\WebAdvisor.png

Filesize
46KB

MD5
5fd73821f3f097d177009d88dfd33605

SHA1
1bacbbfe59727fa26ffa261fb8002f4b70a7e653

SHA256
a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

SHA512
1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component0.zip

Filesize
499KB

MD5
cd9c77bc5840af008799985f397fe1c3

SHA1
9b526687a23b737cc9468570fa17378109e94071

SHA256
26d7704b540df18e2bccd224df677061ffb9f03cab5b3c191055a84bf43a9085

SHA512
de82bd3cbfb66a2ea0cc79e19407b569355ac43bf37eecf15c9ec0693df31ee480ee0be8e7e11cc3136c2df9e7ef775bf9918fe478967eee14304343042a7872

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component0_extract\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1.zip

Filesize
2.5MB

MD5
50a047c9410a6795b16efac1282e06f5

SHA1
6ca6cab3791347cc73ee0bcc95800041abb8bb9b

SHA256
d652c51ef76666282e8e9d165ef7d053414899aee4fb20f537aabf3e82e05a61

SHA512
33f01275c6cbdbf26f8750402e2c9d5a857d3f6d267249c38ca26ccda90c76a22dbc5b25f6c9eff41b17401e7283d93b119607d195cabf7d5e4353bc4d6ff9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe

Filesize
2.5MB

MD5
d61f4679fb50f53af4fbe698aa10161b

SHA1
ded2dd1910b65baba97f453e745b0a056504a191

SHA256
21bd5a4e362b7505acebc4d807e8bfbc31c50fc7a966ed7466a855b29bc29409

SHA512
678625554f10847f00f8fe7a6b7ef9c4a9d2cb3072edd4136b5a04b386b095c5e9d7cc5a5d548bdf3ba62a546201f4a043d54d9687733ae4a2460d4f2990d739

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\component1_extract\OperaSetup.exe

Filesize
2.6MB

MD5
9e72834b5d485917ae5e2721bb6614ea

SHA1
9602bff165414bd13aba117cdf02bd52de1eca44

SHA256
abeef8addf7fd49490022a98a445959d8413085fa2648dd5299d7c1d4b320646

SHA512
477d939d43971bb6465b80a14e4a8722ba10af8c7966a9336aebae42dacaea4b605a4895278034eabee1a2e5ae44e93ba3e6b45bfcd78687331637b2b7747d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VH5FK.tmp\mainlogo.png

Filesize
4KB

MD5
876aef14e8c4c55edf801c5d29c39409

SHA1
f8729c763d309c1aad26f9dd9e23b2c197633f66

SHA256
aee796737569322493175e6b4d6c75eeb0dea180be23a12c318941ba265555b0

SHA512
81bbe9c680999fd110f0df915b0a4a126f06a13cf4e76510c469f208c1aedb46478244aaa12cae417dc0e86bbd10232035aea37c8b42c3941125819602026683

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
3ca64fea0c5f55166265e27914b01419

SHA1
c6e0545451a4a5d45452f7a7f99cd5c6f571aa11

SHA256
84339d4f90979a11e7be136d8b8cdd3944bb44b472f23601a12593b40af7f871

SHA512
ec65209c82f10fd3bcafdb8f138df09deb38b1b4a4337527374ca91433997f1e45998d011f9eeaef3c654c4ff8c4c5d49847ea26803569ea33bdbb19359a62e8

Download Submit
C:\Users\Admin\Downloads\fortinet-7.0.0.0029-installer.exe

Filesize
333KB

MD5
040c019b82eeae2fd971f0d573d8591d

SHA1
a8c39a38403eabba0681563a354dfb6e9bc8f342

SHA256
c8c1ef1fff8afda8600543db3b4edf81d3f0c7134c0bd90cec554b0c599a8157

SHA512
adf68f14eeb91da2c65b6affc481169c492595509af4623685765a2da74c2e548c5466f154fb0f0efa21051e30593d085c29ff655c886ec0e6715634ef3f66f8

Download Submit
memory/988-134-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/3316-99-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/3316-467-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/3360-172-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-32-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3360-24-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-25-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-29-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-30-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-280-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3360-147-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-19-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-105-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3360-238-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-237-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-171-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3360-20-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3360-6-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3360-131-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3568-125-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/3568-473-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/4360-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4360-31-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4360-282-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4360-2-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4844-115-0x00000000005F0000-0x0000000000AFE000-memory.dmp

Filesize
5.1MB

Download
memory/5104-122-0x0000000000D10000-0x000000000121E000-memory.dmp

Filesize
5.1MB

Download
memory/5104-120-0x0000000000D10000-0x000000000121E000-memory.dmp

Filesize
5.1MB

Download
memory/5308-859-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-905-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-768-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-763-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-692-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-711-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-972-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-979-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-1003-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-978-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-1381-0x00007FF750400000-0x00007FF750410000-memory.dmp

Filesize
64KB

Download
memory/5308-1382-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-1383-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-1384-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-1386-0x00007FF750400000-0x00007FF750410000-memory.dmp

Filesize
64KB

Download
memory/5308-528-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-526-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-527-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-810-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-470-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-827-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-839-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-854-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-783-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-969-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-939-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-937-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-910-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-878-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-564-0x00007FF75DCD0000-0x00007FF75DCE0000-memory.dmp

Filesize
64KB

Download
memory/5308-843-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-824-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-821-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-739-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-714-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-703-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-529-0x00007FF766AC0000-0x00007FF766AD0000-memory.dmp

Filesize
64KB

Download
memory/5308-536-0x00007FF750400000-0x00007FF750410000-memory.dmp

Filesize
64KB

Download
memory/5308-562-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-563-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-636-0x00007FF750400000-0x00007FF750410000-memory.dmp

Filesize
64KB

Download
memory/5308-591-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-629-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-675-0x00007FF703930000-0x00007FF703940000-memory.dmp

Filesize
64KB

Download
memory/5308-654-0x00007FF767F00000-0x00007FF767F10000-memory.dmp

Filesize
64KB

Download
memory/5308-672-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download
memory/5308-599-0x00007FF71C140000-0x00007FF71C150000-memory.dmp

Filesize
64KB

Download