Malware Analysis Report

2025-08-10 19:32

Sample ID 240224-zszekaed79
Target Lost in the World of Succubi_e8-w8e1.exe
SHA256 0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0
Tags
evasion cobaltstrike zgrat backdoor discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bb4adf992267f14d272bb10743030952057ba5429013b1f6559788498c901d0

Threat Level: Known bad

The file Lost in the World of Succubi_e8-w8e1.exe was found to be: Known bad.

Malicious Activity Summary

evasion cobaltstrike zgrat backdoor discovery persistence rat spyware stealer trojan

Detect ZGRat V1

Cobalt Strike reflective loader

Cobaltstrike

ZGRat

Creates new service(s)

Reads user/profile data of web browsers

Checks for any installed AV software in registry

Modifies Windows Firewall

Enumerates connected drives

Downloads MZ/PE file

Checks computer location settings

AutoIT Executable

Loads dropped DLL

Launches sc.exe

Drops file in Program Files directory

Checks installed software on the system

Registers COM server for autorun

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Script User-Agent

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 20:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 20:59

Reported

2024-02-24 21:03

Platform

win7-20240221-en

Max time kernel

183s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\SOFTWARE\Avira\Browser\Installed C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\ C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\open C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\ = "open" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\DefaultIcon\ C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\open\command\ C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-R30BU.tmp\\qbittorrent.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.torrent\ C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\Content Type = "application/x-magnet" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\URL Protocol C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-R30BU.tmp\\qbittorrent.exe\",1" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\ C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.torrent\ = "qBittorrent" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\magnet\ = "URL:Magnet link" C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 2896 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 2896 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 2896 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 2896 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 2896 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe
PID 2896 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe
PID 2896 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe
PID 2896 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe

"C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp" /SL5="$50158,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

C:\Windows\SysWOW64\netsh.exe

"netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe "qBittorrent" ENABLE

C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

"C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77

Network

Country Destination Domain Proto
US 8.8.8.8:53 d3st27td9yruau.cloudfront.net udp
CZ 65.9.94.85:443 d3st27td9yruau.cloudfront.net tcp
CZ 65.9.94.85:443 d3st27td9yruau.cloudfront.net tcp
US 8.8.8.8:53 d3st27td9yruau.cloudfront.net udp
CZ 65.9.94.85:443 d3st27td9yruau.cloudfront.net tcp
US 8.8.8.8:53 dht.libtorrent.org udp
N/A 10.127.0.1:5351 udp
US 8.8.8.8:53 router.bittorrent.com udp
US 8.8.8.8:53 download.db-ip.com udp
US 8.8.8.8:53 router.utorrent.com udp
US 172.67.75.166:443 download.db-ip.com tcp
US 8.8.8.8:53 dht.transmissionbt.com udp
US 8.8.8.8:53 dht.aelitis.com udp
US 34.229.89.117:6881 dht.aelitis.com udp
US 67.215.246.10:6881 router.bittorrent.com udp
IS 82.221.103.244:6881 router.utorrent.com udp
FR 87.98.162.88:6881 dht.transmissionbt.com udp
SE 185.157.221.247:25401 dht.libtorrent.org udp
BR 200.97.46.55:55690 udp
BR 177.173.230.173:54871 udp
MA 197.145.127.105:47879 udp
VE 201.242.56.27:6881 udp
MX 187.199.102.8:37334 udp
MX 177.245.153.219:13436 udp
US 8.8.8.8:53 www.fosshub.com udp
US 104.20.137.9:443 www.fosshub.com tcp
ES 79.144.8.63:49301 udp
SG 219.74.115.54:24867 udp
IN 106.220.123.121:14928 udp
HU 84.2.155.227:53721 udp
CN 218.23.138.71:44673 udp
EE 46.131.25.177:29243 udp
N/A 127.0.0.1:49399 tcp
KR 121.167.2.241:40949 udp
N/A 239.192.152.143:6771 udp
RU 146.120.78.161:22084 udp
RU 93.100.226.129:32551 udp
KZ 92.55.178.139:41969 udp
RU 46.188.120.70:5987 udp
RU 91.228.97.173:32982 udp
MA 196.112.204.126:43693 udp
BR 170.246.225.51:15394 udp
IQ 37.237.92.16:38316 udp
BR 189.83.253.44:56226 udp
KR 119.196.178.63:7996 udp
RU 79.174.35.45:37895 udp
RU 188.17.52.119:25145 udp
RU 95.32.198.9:1128 udp
RU 95.161.248.34:40315 udp
RU 93.123.223.174:39867 udp
RU 146.66.185.48:29646 udp
RU 178.238.121.242:31267 udp
KR 49.163.190.88:50287 udp
RU 185.16.139.168:4097 udp
PL 89.64.87.23:54904 udp
RU 45.94.119.0:9595 udp
PY 45.170.128.131:1645 udp
RU 185.14.71.124:49503 udp
BR 179.154.143.33:3352 udp
RU 185.5.248.17:12343 udp
CZ 89.102.49.222:19526 udp
UA 188.163.4.19:22332 udp
UA 46.119.121.29:8599 udp
ZA 196.25.127.110:4807 udp
LY 165.16.38.230:38439 udp
KR 221.154.92.45:38391 udp
RU 109.94.95.195:6606 udp
US 173.175.64.57:50321 udp
RU 95.79.19.53:6881 udp
PT 2.80.46.109:28718 udp
SA 2.89.152.228:65160 udp
RU 2.95.206.1:20976 udp
GB 2.217.12.79:2615 udp
DE 5.189.140.45:5588 udp
TR 24.133.120.184:5239 udp
HU 37.76.41.41:27926 udp
PK 37.111.189.230:37340 udp
PK 37.111.189.230:45351 udp
DZ 41.97.147.63:8488 udp
IN 42.104.155.133:15725 udp
BR 45.6.33.159:53734 udp
EG 45.243.205.128:1026 udp
US 47.225.149.180:12478 udp
SA 51.36.174.18:11637 udp
SA 51.36.174.18:42503 udp
PK 59.103.58.172:43106 udp
PH 61.245.29.42:9533 udp
PH 61.245.29.42:20022 udp
ME 62.4.34.57:47729 udp
US 67.255.11.170:48033 udp
HU 77.111.171.225:7000 udp
FR 77.206.116.120:46560 udp
PL 78.30.97.126:4575 udp
DE 78.42.170.237:9906 udp
HU 79.121.41.113:35974 udp
PL 83.9.155.106:48393 udp
LV 83.99.176.35:34763 udp
SE 83.253.65.36:58607 udp
CZ 85.163.76.18:50705 udp
PL 85.221.150.234:63520 udp
PT 85.241.12.130:26347 udp
PT 85.243.255.105:25288 udp
IL 85.250.105.221:35396 udp
SI 86.61.85.115:33336 udp
RO 86.123.174.25:27697 udp
GB 86.131.63.223:23425 udp
FR 88.178.153.65:14820 udp
HU 89.132.118.127:13426 udp
HU 89.147.65.7:28544 udp
PL 93.175.83.237:49194 udp
DE 93.245.156.60:61217 udp
GR 94.67.15.76:14979 udp
GR 94.67.15.76:20001 udp
RU 95.24.179.50:13738 udp
PT 95.93.82.163:35065 udp
DE 95.111.230.250:22197 udp
BG 95.158.157.45:54570 udp
N/A 100.110.157.89:51435 udp
NG 102.88.33.109:3448 udp
NG 102.89.41.104:21307 udp
EG 102.191.143.69:31053 udp
PH 103.105.214.110:7480 udp
PK 103.174.206.63:35563 udp
ID 103.212.211.67:9086 udp
DZ 105.101.112.19:49726 udp
NG 105.115.0.67:12265 udp
PT 109.48.158.244:34403 udp
PL 109.243.0.220:15737 udp
NZ 115.189.130.87:6165 udp
ID 125.162.215.98:55795 udp
RU 128.68.4.93:8650 udp
RO 128.127.115.76:4461 udp
US 136.32.246.66:29588 udp
BE 141.135.167.28:1054 udp
HR 141.138.27.245:8337 udp
RU 145.255.0.254:43791 udp
BG 149.62.205.13:64843 udp
BG 149.62.205.49:54969 udp
BG 149.62.205.49:61891 udp
EG 156.203.93.157:39225 udp
EC 157.100.76.105:29737 udp
ZA 160.226.243.82:22603 udp
DE 164.68.127.100:35560 udp
DE 164.68.127.100:53445 udp
US 172.111.38.128:49348 udp
US 174.22.219.86:22480 udp
US 174.62.225.42:13990 udp
TR 176.88.31.124:29928 udp
IL 176.229.238.4:33131 udp
BR 177.121.63.79:48461 udp
RU 178.66.95.77:31192 udp
RU 178.76.218.149:35691 udp
RS 178.222.219.72:37346 udp
AR 181.164.177.92:7814 udp
AZ 185.81.85.161:30967 udp
PL 185.235.206.165:11651 udp
RO 188.27.130.62:11898 udp
TR 188.120.41.56:34875 udp
RS 188.255.145.183:34110 udp
RS 188.255.145.183:34111 udp
MX 189.248.125.175:55255 udp
SV 190.62.14.199:39293 udp
ET 196.188.224.106:57026 udp
CA 198.91.172.196:43963 udp
ID 202.80.215.244:52345 udp
RU 212.7.252.179:61161 udp
DE 213.136.74.178:22831 udp
JM 216.10.214.158:12259 udp
GB 217.39.16.118:45095 udp
RU 89.16.102.230:56409 udp
FI 185.148.3.162:11161 udp
PL 185.16.39.228:54197 udp
US 66.59.198.112:6882 udp
RU 185.134.120.172:6881 udp
RU 194.39.101.248:43403 udp
RU 5.141.194.40:12937 udp
PL 78.30.97.126:4511 udp
CZ 77.236.218.235:31302 udp
US 4.1.134.179:32700 udp
BA 31.223.145.64:27038 udp
ZA 41.246.31.140:15401 udp
ZA 41.246.31.231:38225 udp
MV 43.231.29.189:21278 udp
IN 49.128.163.215:63328 udp
TH 49.228.176.177:23378 udp
SA 51.235.212.207:50007 udp
PL 78.30.97.126:4549 udp
RO 82.77.245.196:14794 udp
PL 83.29.62.80:34916 udp
RU 85.91.96.90:39785 udp
NO 85.166.80.163:31655 udp
RU 88.201.222.10:2294 udp
PL 89.151.33.186:43631 udp
UA 91.225.162.111:4332 udp
AL 91.240.165.6:60973 udp
UA 95.133.52.110:9307 udp
US 98.10.78.69:55011 udp
US 98.221.134.33:11959 udp
RW 102.22.142.243:35247 udp
NG 102.89.41.104:26776 udp
NG 105.115.0.67:7975 udp
IT 109.52.206.207:1553 udp
FR 128.78.45.183:56655 udp
BE 141.135.167.28:1052 udp
SA 146.251.141.205:40226 udp
BG 149.62.205.13:55315 udp
BG 149.62.205.13:58871 udp
EC 157.100.112.58:11747 udp
RU 176.214.236.19:1565 udp
EC 177.234.237.123:19678 udp
RU 178.72.68.187:9797 udp
RU 178.216.70.230:24897 udp
UA 193.194.113.21:55768 udp
RU 194.39.101.248:46392 udp
NG 197.210.53.79:41585 udp
VE 200.109.3.24:13093 udp
BR 201.68.247.222:1024 udp
KR 211.118.217.193:45628 udp
JP 220.108.142.74:44829 udp
ZA 41.246.31.140:15413 udp
NG 102.88.36.50:3448 udp
FR 94.23.249.222:61555 udp
AT 89.58.61.32:59264 udp
DE 23.158.56.120:44136 udp
SI 46.123.250.158:15767 udp
IN 49.128.163.215:10181 udp
CZ 85.163.76.18:6881 udp
RS 87.116.133.156:11743 udp
RO 95.76.1.91:13226 udp
US 104.230.137.249:52531 udp
BG 149.62.205.13:59222 udp
DE 167.86.68.85:24424 udp
RU 176.99.159.81:30891 udp
RU 176.214.236.19:1063 udp
HU 188.143.116.110:42248 udp
NG 197.210.76.84:41585 udp
TW 218.32.97.27:5512 udp
US 138.2.227.120:6881 udp
PL 146.59.3.81:10240 udp
NL 88.151.32.222:6881 udp
UA 185.41.21.226:40533 udp
RU 95.24.174.255:33031 udp
RU 145.255.0.254:23256 udp
N/A 239.192.152.143:6771 udp
RU 95.141.187.137:13719 udp
MV 43.231.29.189:54420 udp
MV 43.231.29.189:54424 udp
CA 45.136.154.250:6524 udp
SI 46.123.250.158:15669 udp
PK 59.103.58.172:42834 udp
DE 84.129.199.141:41717 udp
US 145.14.135.154:63420 udp
BG 149.62.205.13:57577 udp
IN 152.58.34.28:54450 udp
DE 164.68.127.100:48033 udp
US 172.111.38.128:18954 udp
ZA 196.25.127.110:56245 udp
HU 212.102.99.216:21701 udp
GB 89.149.23.59:33031 udp
US 142.171.125.191:6881 udp
UA 188.163.101.234:33031 udp
TT 161.0.158.2:55606 udp
PE 179.7.106.208:51866 udp
MX 201.97.206.165:39439 udp
PH 112.207.176.230:41567 udp
CN 120.42.129.23:25807 udp
CN 171.42.254.76:21164 udp
CN 112.3.224.98:11765 udp
RU 147.45.213.70:37478 udp
CN 219.159.112.162:15750 udp
CN 116.132.217.224:6884 udp
KR 183.102.171.68:40960 udp
RU 37.131.222.17:56749 udp
KR 116.33.51.22:41004 udp
JM 72.252.190.95:37687 udp
MY 147.158.192.234:56112 udp
IN 45.248.66.131:47099 udp
RU 46.173.4.214:12345 udp
MD 89.28.98.66:57097 udp
KR 112.147.144.14:33158 udp
CA 135.19.196.49:39929 udp
GB 149.102.58.94:15122 udp
IN 152.57.234.241:53838 udp
RU 78.140.44.6:58319 udp
MX 189.239.137.25:55217 udp
HN 190.124.160.138:19536 udp
EC 186.42.11.10:17413 udp
RU 95.165.31.39:29354 udp
PT 161.230.105.234:56814 udp
LT 78.60.11.16:51413 udp
TW 104.28.159.155:14414 udp
CN 183.60.144.155:6882 udp
DZ 41.97.34.14:50774 udp
KR 175.192.38.154:41175 udp
CN 116.8.55.167:16260 udp
DZ 41.104.23.94:46464 udp
DE 176.9.144.183:51413 udp
BR 170.0.74.66:40931 udp
HU 178.164.253.29:15141 udp
MX 187.142.118.89:45046 udp
NL 80.66.69.11:3343 udp
TH 182.232.115.29:61522 udp
DE 5.9.41.13:53504 udp
KR 220.65.193.84:32845 udp
HU 79.121.73.19:55000 udp
SA 51.211.23.13:57021 udp
RU 91.228.97.176:49665 udp
BR 45.169.27.169:6538 udp
AT 185.33.10.42:6881 udp
HU 188.157.26.197:15005 udp
GB 194.156.225.175:54586 udp
RU 84.51.212.125:49001 udp
VE 190.97.249.42:53551 udp
DE 62.171.169.210:51410 udp
CN 218.91.170.149:6891 udp
AR 181.45.207.103:46794 udp
CA 37.19.211.93:27637 udp
RU 31.133.253.126:31781 udp
SA 31.167.238.42:48227 udp
MX 201.153.222.203:47419 udp
BR 201.17.83.80:28624 udp
MX 189.128.49.163:47371 udp
BG 93.123.124.254:55713 udp
PS 139.190.138.26:37944 udp
BR 177.70.177.73:37953 udp
DZ 105.98.218.69:43261 udp
RS 188.2.28.251:41850 udp
US 68.227.215.142:50955 udp
GB 151.225.115.196:42821 udp
FR 212.129.33.59:6881 dht.transmissionbt.com udp
PT 89.181.129.35:25997 udp
US 136.33.6.226:2810 udp
NL 5.79.80.219:33031 udp
RU 178.72.68.187:55787 udp
DZ 105.101.112.19:49726 tcp
EC 177.234.237.123:19678 tcp
DZ 41.97.147.63:8488 tcp
RS 188.255.145.183:34110 tcp
IN 152.58.34.28:54450 tcp
LV 83.99.176.35:34763 tcp
MX 189.248.125.175:55255 tcp
PK 103.174.206.63:35563 tcp
ZA 196.25.127.110:4807 tcp
BE 141.135.167.28:1052 tcp
FR 88.178.153.65:14820 tcp
US 98.221.134.33:11959 tcp
SI 46.123.250.158:15767 tcp
PK 59.103.58.172:43106 tcp
NG 105.115.0.67:7975 tcp
RO 95.76.1.91:52076 udp
RU 212.7.252.179:16971 udp
RU 212.7.252.179:53324 udp
RU 212.7.252.179:11227 udp
RU 212.7.252.179:54238 udp
RU 212.7.252.179:37075 udp
RU 212.7.252.179:47327 udp
RU 212.7.252.179:63327 udp
RU 212.7.252.179:10890 udp
RU 212.7.252.179:57499 udp
RU 212.7.252.179:3225 udp
RU 212.7.252.179:6155 udp
RU 212.7.252.179:43289 udp
RU 212.7.252.179:37309 udp
RU 212.7.252.179:6748 udp
RU 212.7.252.179:27627 udp
RU 212.7.252.179:56167 udp
RU 212.7.252.179:36117 udp
RU 212.7.252.179:28691 udp
RU 212.7.252.179:46407 udp
RU 212.7.252.179:39298 udp
RU 212.7.252.179:10814 udp
RU 212.7.252.179:62096 udp
RU 212.7.252.179:63792 udp
RU 212.7.252.179:15879 udp
RU 212.7.252.179:58877 udp
RU 212.7.252.179:16114 udp
RU 212.7.252.179:63573 udp
RU 212.7.252.179:8873 udp
RU 212.7.252.179:63936 udp
RU 212.7.252.179:52960 udp
RU 212.7.252.179:49600 udp
RU 212.7.252.179:6345 udp
RU 212.7.252.179:65287 udp
RU 212.7.252.179:32033 udp
RU 212.7.252.179:46449 udp
RU 212.7.252.179:39542 udp
RU 212.7.252.179:2221 udp
RU 212.7.252.179:58710 udp
PT 109.48.158.244:34403 tcp
NG 102.88.33.109:3448 tcp
EC 157.100.76.105:29737 tcp
US 174.22.219.86:22480 tcp
VE 200.109.3.24:13093 tcp
US 172.111.38.128:18954 tcp
DE 167.86.68.85:24424 tcp
HU 212.102.99.216:21701 tcp
RU 212.7.252.179:56388 udp
RU 212.7.252.179:54243 udp
HU 79.121.41.113:40936 udp
RU 212.7.252.179:27485 udp
RU 212.7.252.179:20424 udp
RU 212.7.252.179:60496 udp
RU 212.7.252.179:46877 udp
RU 212.7.252.179:51937 udp
RU 212.7.252.179:35145 udp
RU 212.7.252.179:19847 udp
RU 212.7.252.179:56079 udp
RU 212.7.252.179:9163 udp
RU 212.7.252.179:63554 udp
RU 212.7.252.179:9523 udp
ID 125.162.215.98:45614 udp
RU 212.7.252.179:42522 udp
RU 212.7.252.179:22816 udp
RU 212.7.252.179:2470 udp
RU 212.7.252.179:6060 udp
RU 212.7.252.179:26782 udp
RU 212.7.252.179:57476 udp
RU 212.7.252.179:52896 udp
RU 212.7.252.179:16989 udp
RU 212.7.252.179:54866 udp
RU 212.7.252.179:6328 udp
RS 87.116.133.156:3763 udp
RU 212.7.252.179:29820 udp
RU 212.7.252.179:30119 udp
RU 212.7.252.179:21356 udp
RU 212.7.252.179:57607 udp
RU 212.7.252.179:43122 udp
RU 212.7.252.179:63427 udp
RU 212.7.252.179:18818 udp
RU 212.7.252.179:54046 udp
RU 212.7.252.179:4003 udp
RU 212.7.252.179:46018 udp
RU 212.7.252.179:48852 udp
GB 89.149.23.59:33031 tcp
NG 102.88.36.50:3448 tcp
US 67.255.11.170:48033 tcp
RU 176.99.159.81:30891 tcp
RU 85.91.96.90:39785 tcp
DE 23.158.56.120:44136 tcp
US 4.1.134.179:32700 tcp
UA 46.119.121.29:8599 tcp
SA 2.89.152.228:65160 tcp
PL 83.9.155.106:48393 tcp
ME 62.4.34.57:47729 tcp
DE 93.245.156.60:61217 tcp
BA 31.223.145.64:27038 tcp
RU 178.76.218.149:35691 tcp
HU 188.143.116.110:42248 tcp
SA 146.251.141.205:40226 tcp
RU 5.141.194.40:12937 tcp
BG 149.62.205.49:61891 tcp
DE 95.111.230.250:22197 tcp
NG 197.210.53.79:41585 tcp
AZ 185.81.85.161:30967 tcp
NL 5.79.80.219:33031 tcp
RO 86.123.174.25:27697 tcp
PK 37.111.189.230:37340 tcp
N/A 100.110.157.89:51435 tcp
NG 197.210.76.84:41585 tcp
ID 202.80.215.244:52345 tcp
FR 128.78.45.183:56655 tcp
GB 217.39.16.118:45095 tcp
SV 190.62.14.199:39293 tcp
ZA 41.246.31.231:38225 tcp
RO 128.127.115.76:4461 tcp
EG 156.203.93.157:39225 tcp
IN 42.104.155.133:15725 tcp
PL 85.221.150.234:63520 tcp
HU 37.76.41.41:27926 tcp
ZA 41.246.31.140:15413 tcp
TR 176.88.31.124:29928 tcp
BG 95.158.157.45:54570 tcp
UA 95.133.52.110:9307 tcp
DE 213.136.74.178:22831 tcp
HU 89.132.118.127:13426 tcp
PH 61.245.29.42:9533 tcp
US 136.33.6.226:2810 tcp
RU 178.216.70.230:24897 tcp
ZA 160.226.243.82:22603 tcp
PL 89.151.33.186:43631 tcp
IT 109.52.206.207:1553 tcp
DE 5.189.140.45:5588 tcp
BG 149.62.205.13:58871 tcp
RW 102.22.142.243:35247 tcp
IL 85.250.105.221:35396 tcp
JM 216.10.214.158:12259 tcp
GB 2.217.12.79:2615 tcp
UA 188.163.4.19:22332 tcp
NG 102.89.41.104:26776 tcp
US 145.14.135.154:63420 tcp
MV 43.231.29.189:21278 tcp
SA 51.36.174.18:42503 tcp
RU 176.214.236.19:51435 udp
UA 91.225.162.111:13204 udp
UA 91.225.162.111:48154 udp
UA 91.225.162.111:11421 udp
UA 91.225.162.111:43286 udp
UA 91.225.162.111:54842 udp
UA 91.225.162.111:34584 udp
UA 91.225.162.111:40185 udp
UA 91.225.162.111:52708 udp
UA 91.225.162.111:61067 udp
UA 91.225.162.111:59899 udp
UA 91.225.162.111:48713 udp
UA 91.225.162.111:45612 udp
UA 91.225.162.111:28473 udp
UA 91.225.162.111:7828 udp
UA 91.225.162.111:53286 udp
UA 91.225.162.111:37605 udp
UA 91.225.162.111:46340 udp
UA 91.225.162.111:59096 udp
UA 91.225.162.111:2965 udp
UA 91.225.162.111:59303 udp
UA 91.225.162.111:15657 udp
PL 78.30.97.126:4511 tcp
EG 102.191.143.69:31053 tcp
BR 45.6.33.159:53734 tcp
UA 91.225.162.111:51139 udp
UA 91.225.162.111:62369 udp
UA 91.225.162.111:33651 udp
UA 91.225.162.111:57131 udp
UA 91.225.162.111:21566 udp
UA 91.225.162.111:50193 udp
UA 91.225.162.111:29127 udp
UA 91.225.162.111:19694 udp
UA 91.225.162.111:34083 udp
UA 91.225.162.111:8444 udp
UA 91.225.162.111:40797 udp
UA 91.225.162.111:37962 udp
UA 91.225.162.111:49778 udp
UA 91.225.162.111:30290 udp
UA 91.225.162.111:43424 udp
UA 91.225.162.111:35827 udp
UA 91.225.162.111:54251 udp
UA 91.225.162.111:49887 udp
UA 91.225.162.111:20361 udp
UA 91.225.162.111:20765 udp
UA 91.225.162.111:37938 udp
UA 91.225.162.111:832 udp
PL 185.235.206.165:43546 udp
UA 91.225.162.111:65315 udp
UA 91.225.162.111:19783 udp
UA 91.225.162.111:38805 udp
UA 91.225.162.111:13872 udp
UA 91.225.162.111:60497 udp
UA 91.225.162.111:15473 udp
UA 91.225.162.111:35587 udp
UA 91.225.162.111:9242 udp
UA 91.225.162.111:15819 udp
UA 91.225.162.111:24504 udp
UA 91.225.162.111:5812 udp
UA 91.225.162.111:1538 udp
UA 91.225.162.111:20177 udp
UA 91.225.162.111:10203 udp
UA 91.225.162.111:4662 udp
UA 91.225.162.111:58076 udp
UA 91.225.162.111:48897 udp
UA 91.225.162.111:10203 udp
UA 91.225.162.111:13762 udp
UA 91.225.162.111:27692 udp
UA 91.225.162.111:50925 udp
UA 91.225.162.111:4818 udp
UA 91.225.162.111:18420 udp
UA 91.225.162.111:54559 udp
UA 91.225.162.111:9220 udp
UA 91.225.162.111:3301 udp
UA 91.225.162.111:2807 udp
UA 91.225.162.111:8148 udp
UA 91.225.162.111:63075 udp
UA 91.225.162.111:45548 udp
UA 91.225.162.111:61119 udp
UA 91.225.162.111:50102 udp
UA 91.225.162.111:59277 udp
UA 91.225.162.111:350 udp
UA 91.225.162.111:46997 udp
UA 91.225.162.111:7977 udp
UA 91.225.162.111:12663 udp
UA 91.225.162.111:58126 udp
UA 91.225.162.111:21619 udp
UA 91.225.162.111:13789 udp
UA 91.225.162.111:16345 udp
UA 91.225.162.111:48393 udp
UA 91.225.162.111:20904 udp
UA 91.225.162.111:24692 udp
UA 91.225.162.111:10939 udp
UA 91.225.162.111:18690 udp
UA 91.225.162.111:10473 udp

Files

memory/2948-1-0x0000000000400000-0x00000000004CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OCICI.tmp\Lost in the World of Succubi_e8-w8e1.tmp

MD5 392188858aab78d544835de0fe665a04
SHA1 e2c06e4d926bbecee75887c83b5a9e732b0103b8
SHA256 eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07
SHA512 0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

memory/2896-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2948-10-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2896-15-0x0000000000400000-0x00000000006EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\zbShieldUtils.dll

MD5 c79e3df659cdee033a447a8f372760ce
SHA1 f402273e29a6fa39572163e4595e72bde3d9330a
SHA256 7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5
SHA512 490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

C:\Users\Admin\AppData\Local\Temp\Cab7ABD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar7AFF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb07809dcab0eaa99d801991d9437de3
SHA1 2296af3ba28318e319bd058065546c02826a1b51
SHA256 e489d9f296a603ab98ad17f6ba4323dd773aec1f45c07a66a4c4aeba4bb51eee
SHA512 a48563430d5fee0bac51370863af395d7f5e6a9fa02a4e95dfd79049314297f2fec3fa19f3f253fdc273ec05ff526d1383959a65dfafcd64da35d39eed0667cc

memory/2896-134-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/2896-137-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2896-141-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/2896-145-0x0000000000400000-0x00000000006EE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

memory/2896-158-0x0000000002120000-0x000000000212F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\AVG_AV.png

MD5 5ef5291810c454a35f76d976105f37cc
SHA1 8ce0cc65ae1786cef1c545d40d081eda13239fa6
SHA256 03e69e8c87732c625df2f628ac63bd145268f9dea9c5f3dd3670b1cf349a995c
SHA512 3bec461bb3cbbbdb3c05171fcc5ab7e648b2b60d7b811261662f14d35c3836148b14cda1a3f2be127c89cc732de8cf1644d2e55e049eeeb2da8e397c58cc919e

memory/2896-165-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/2896-166-0x0000000002120000-0x000000000212F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\finish.png

MD5 7afaf9e0e99fd80fa1023a77524f5587
SHA1 e20c9c27691810b388c73d2ca3e67e109c2b69b6
SHA256 760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0
SHA512 a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

MD5 0dbb91794caab7f8a4149746f30b8226
SHA1 0d6627779baa5e247ec6fba4450b5aa3108d99c3
SHA256 d7bccbb4223e469ed94776a336ec777b0ec366fac5c5248a5ed311dbd4d26c64
SHA512 28ae3e1553b04b5815eb0325a02b30ed5ea032b6909b3b37b84180ae8b19f6d46943e0ce045e44a25b5b1ea9c19c1338f2a688fd6ca719d7cca2bfd2f80e0cde

C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

MD5 0359bb9304cd1255be588dfebfc2ef11
SHA1 d0b205a3d876d8e74e27051e89ff8b7075e202a3
SHA256 927d000a3a54fcb100345690d3f68f40d021c6d12d02c9b7c2cab5adb815cf3e
SHA512 21478da87531ae4934ff6995d91416eb5a23d96f99e2e11a40120a7f004713e7d052f9198d60d4180c7636c88515aca84362aa2b16d177f148bdb78a813de77b

memory/608-183-0x00000000001A0000-0x00000000001B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R30BU.tmp\qbittorrent.exe

MD5 fb6a50e02daf6c781d601cd4f11a3bbb
SHA1 c1c06d64f476c04510d2cd0afd3a12a2d8ad3871
SHA256 69229ea1bbb20ea7181e6e1febd54790bf21467a27df360b30547a655b6d494a
SHA512 d9b6775c6dee41ee58fb447a9b1e0ee0a328b87b842ff9956a8474f642fc2bcffc8d1ef33af966fdde679f492fc0d27bf5a392bfef03ecc280f1aa591635578b

memory/608-185-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/608-186-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/2896-189-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/2948-191-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\qBittorrent\watched_folders.json

MD5 5b76b0eef9af8a2300673e0553f609f9
SHA1 0b56d40c0630a74abec5398e01c6cd83263feddc
SHA256 d914176fd50bd7f565700006a31aa97b79d3ad17cee20c8e5ff2061d5cb74817
SHA512 cf06a50de1bf63b7052c19ad53766fa0d99a4d88db76a7cbc672e33276e3d423e4c5f5cb4a8ae188c5c0e17d93bb740eaab6f25753f0d26501c5f84aeded075d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db4350ca8802703b4b68bff706f9f5bc
SHA1 2119300fd09b412aefc5ca473d9e8a7734c92ba2
SHA256 715212748babd4f9dc1fca7dde8f910dd70094ae328b802978450480ef9efda7
SHA512 c8ce2e0d826b9455d741e6d67414fe9271fbba5817aea4daec81d4f8f758757d38b5e9005bb9a3cb1ae2a8b9aacb0a8ca1aaf1ebd787c5b708daccc35922975f

memory/608-236-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/608-237-0x00000000001B0000-0x00000000001BA000-memory.dmp

C:\Users\Admin\Downloads\Purble place\purble_place.zip

MD5 2dee83cdac14d0ddd959bc2b649b1266
SHA1 8f1b70a77343ab96abeb442d5bd249dfb1fb06b7
SHA256 fa80f8a2dd7c94e3d79f7b898964aafd55603bd9676214f65af6d994ea4ff951
SHA512 2e571c06134f528eca9e57b0618de45eaf88c7c7cf722f5e5e7885ab7acb68a267006d1e416ef7e0537ed5f700517412152232bb6be4495f85bdaef596a77450

C:\Users\Admin\Downloads\Purble place\purble_place.zip

MD5 25f423e6f34094be52aa38db3903c5db
SHA1 2126d7af016be0b3f9e8b1a1cf010075641f1229
SHA256 103fde1b502e8e8978780a2a535434ebcce253ebc183b7111c7502ba85e7fecb
SHA512 330c00a643e4e833199ba1d1e42a24a85db7c6d28f431d2022f24e0bde148ab86ee5c88258d38691471ce0d0472f0e0856948a113bc42a7eff23bfa22a636b31

C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent_new.ini

MD5 eff130c6bcf4608c2ca94f436ebcc748
SHA1 044fe240414d071e45eeae6227f5379f44f7bf84
SHA256 ba0e6af739d8c55a57d35bae89250e68686198762817498839e1be47b31bb9bf
SHA512 181f86127e253b9b3b53dd68fa6bee1e731b0e95f8d37f0024f8dee9006cf048b532c93bd84da67dbd92c16a78e1c956ca67987d4e95ee20f893d083d7fec3c1

C:\Users\Admin\AppData\Roaming\qBittorrent\qBittorrent.ini

MD5 df23cc2f6ce018627abf87f3e022970b
SHA1 38327c60b3e7ad2e10f80b00ebd5f8294346f606
SHA256 a5a25b95446f5427e21adaf5d42206bc120c10507f65530bcc5187308e9a32dd
SHA512 d36340b91106d5fddb7eba13348fc9febb4849b9790c91363998b7e7d224a30e303a6b7a6dbce492cc799181d75ad32fb713c138e84c00376adb988cac0915a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 20:59

Reported

2024-02-24 21:02

Platform

win10v2004-20240221-en

Max time kernel

83s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Creates new service(s)

persistence

Reads user/profile data of web browsers

spyware stealer

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\McAfee\Temp3109378843\resource.dll C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\kn.pak C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\jslang\wa-res-install-da-DK.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-bg.png C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-it-IT.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\securesearchhandler.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-nb-NO.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\wa-uninstall.css C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\blockpage.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\registry.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\jslang\wa-res-install-fi-FI.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ui-checklist.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pt-BR.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Webadvisor\Analytics\operations.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-en-US.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Temp3109378843\jslang\wa-res-install-cs-CZ.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\dailyping.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\searchsuggestcounter.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\icon_laptop.png C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\providers_selector.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-sk-SK.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-es-ES.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-amazon-upsell.html C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pt-PT.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Temp3109378843\taskmanager.cab C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\event_handler.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pl.pak C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-da-DK.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast-h.html C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-sk-SK.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wpssetting.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-es-MX.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logicmodule.dll C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\hashedmachineid.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Temp3109378843\jslang\wa-res-install-es-MX.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\jslang\eula-it-IT.txt C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\jquery-1.9.0.min.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo.png C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-sr-Latn-CS.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\common.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\mcutil.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-pt-BR.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-ru-RU.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-zh-TW.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\newtabcounter.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ko-KR.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\jslang\wa-res-install-cs-CZ.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\uihandler.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-pt-BR.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\settings-icon-selected.png C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-sv-SE.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast-toggle.html C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\samrecoverable.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Temp3109378843\jslang\eula-hu-HU.txt C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\Temp3109378843\wa_logo2.png C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\auxiliary\reset_handler.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\webadvisor.mcafee.chrome.extension.json C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_score_toast_increase_bg_left.png C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\csp_client.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File opened for modification C:\Program Files\McAfee\Webadvisor\Analytics\logging.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ko-KR.js C:\Program Files\McAfee\Temp3109378843\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Webadvisor\Analytics\dataset_da.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\samrecoverable.luc C:\Program Files\McAfee\Temp3109378843\installer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\System32\grpconv.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\System32\grpconv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" C:\Windows\System32\grpconv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\grpconv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" C:\Windows\System32\grpconv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\System32\grpconv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\System32\grpconv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\System32\grpconv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\System32\grpconv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories C:\Windows\SYSTEM32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 1616 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 1616 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp
PID 772 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe
PID 772 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe
PID 772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe
PID 772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe
PID 772 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe
PID 5024 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe
PID 5024 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe
PID 5024 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe
PID 4156 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe
PID 4156 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe
PID 2768 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
PID 2768 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
PID 2768 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
PID 772 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 772 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 772 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp C:\Windows\SysWOW64\netsh.exe
PID 1808 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe C:\Windows\System32\Conhost.exe
PID 1808 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe C:\Windows\System32\Conhost.exe
PID 2556 wrote to memory of 232 N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
PID 2556 wrote to memory of 232 N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
PID 232 wrote to memory of 4648 N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe C:\Program Files\McAfee\Temp3109378843\installer.exe
PID 232 wrote to memory of 4648 N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe C:\Program Files\McAfee\Temp3109378843\installer.exe
PID 4648 wrote to memory of 1640 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 4648 wrote to memory of 1640 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 4648 wrote to memory of 3076 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4648 wrote to memory of 3076 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4648 wrote to memory of 1684 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 4648 wrote to memory of 1684 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 4648 wrote to memory of 5080 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 4648 wrote to memory of 5080 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\sc.exe
PID 3076 wrote to memory of 3740 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3076 wrote to memory of 3740 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3076 wrote to memory of 3740 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4648 wrote to memory of 4088 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\System32\grpconv.exe
PID 4648 wrote to memory of 4088 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\System32\grpconv.exe
PID 4648 wrote to memory of 3092 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4648 wrote to memory of 3092 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4648 wrote to memory of 3732 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\system32\WerFault.exe
PID 4648 wrote to memory of 3732 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\system32\WerFault.exe
PID 3092 wrote to memory of 4548 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3092 wrote to memory of 4548 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3092 wrote to memory of 4548 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4648 wrote to memory of 4652 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4648 wrote to memory of 4652 N/A C:\Program Files\McAfee\Temp3109378843\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 3080 wrote to memory of 3108 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 3080 wrote to memory of 3108 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 772 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe
PID 772 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe
PID 772 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe
PID 2524 wrote to memory of 3648 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 2524 wrote to memory of 3648 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe

"C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp" /SL5="$E0060,13603942,780800,C:\Users\Admin\AppData\Local\Temp\Lost in the World of Succubi_e8-w8e1.exe"

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe

"C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe" -ip:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240224210008&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&b=op&se=true" -vp:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240224210008&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100&oip=26&ptl=7&dta=true" -dp:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240224210008&oc=ZB_RAV_Cross_Tri_NCB&p=d267&a=100" -i -v -d -se=true

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe

"C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe" /silent

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=GB /no_self_update

C:\Windows\SysWOW64\netsh.exe

"netsh" firewall add allowedprogramC:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe "qBittorrent" ENABLE

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp3109378843\installer.exe

"C:\Program Files\McAfee\Temp3109378843\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SYSTEM32\sc.exe

sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\sc.exe

sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"

C:\Windows\SYSTEM32\sc.exe

sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SYSTEM32\sc.exe

sc.exe start "McAfee WebAdvisor"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 524 -p 3208 -ip 3208

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe

"C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\qbittorrent.exe" magnet:?xt=urn:btih:BFF18AF5608F9196CF05BF0C1F0B54A18C3F0A77

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"

C:\Users\Admin\AppData\Local\Temp\q0psexkw.exe

"C:\Users\Admin\AppData\Local\Temp\q0psexkw.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\RAVVPN-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\q0psexkw.exe" /silent

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"

\??\c:\program files\reasonlabs\epp\rsHelper.exe

"c:\program files\reasonlabs\epp\rsHelper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 d3st27td9yruau.cloudfront.net udp
CZ 65.9.94.85:443 d3st27td9yruau.cloudfront.net tcp
US 8.8.8.8:53 85.94.9.65.in-addr.arpa udp
CZ 65.9.94.85:443 d3st27td9yruau.cloudfront.net tcp
US 8.8.8.8:53 shield.reasonsecurity.com udp
US 104.22.0.235:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 235.0.22.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 104.22.0.235:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 analytics.apis.mcafee.com udp
US 54.184.26.107:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 107.26.184.54.in-addr.arpa udp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 143.71.91.104.in-addr.arpa udp
US 54.184.26.107:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 8.8.8.8:53 64.185.213.18.in-addr.arpa udp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 8.8.8.8:53 home.mcafee.com udp
GB 104.84.78.57:443 home.mcafee.com tcp
US 8.8.8.8:53 57.78.84.104.in-addr.arpa udp
US 8.8.8.8:53 analytics.apis.mcafee.com udp
US 54.69.15.105:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 105.15.69.54.in-addr.arpa udp
US 8.8.8.8:53 update.reasonsecurity.com udp
CZ 65.9.95.75:443 update.reasonsecurity.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 8.8.8.8:53 electron-shell.reasonsecurity.com udp
CZ 65.9.95.40:443 electron-shell.reasonsecurity.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 75.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 40.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 18.213.185.64:443 track.analytics-data.io tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
CZ 65.9.95.128:443 cdn.reasonsecurity.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 8.8.8.8:53 128.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 18.213.185.64:443 tcp
US 18.213.185.64:443 tcp
US 18.213.185.64:443 tcp
US 18.213.185.64:443 tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 18.213.185.64:443 tcp
US 18.213.185.64:443 tcp
US 18.213.185.64:443 tcp
US 8.8.8.8:53 track.analytics-data.io udp
US 44.215.146.10:443 track.analytics-data.io tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 8.8.8.8:53 10.146.215.44.in-addr.arpa udp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 update.reasonsecurity.com udp
CZ 65.9.95.75:443 update.reasonsecurity.com tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 44.215.146.10:443 track.analytics-data.io tcp
CZ 65.9.95.128:443 cdn.reasonsecurity.com tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 44.215.146.10:443 track.analytics-data.io tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 config.reasonsecurity.com udp
US 54.85.33.30:443 config.reasonsecurity.com tcp
US 8.8.8.8:53 30.33.85.54.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/1616-1-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AV4JR.tmp\Lost in the World of Succubi_e8-w8e1.tmp

MD5 392188858aab78d544835de0fe665a04
SHA1 e2c06e4d926bbecee75887c83b5a9e732b0103b8
SHA256 eaa483432e2cae37fcf1350c160b848948f8e512ed085fab67d901bfcd8d5d07
SHA512 0d0d1d1196d705af2a755d054372b45e8540edeb201d2b9ac2d48a08240399314130f3e78e7e962ce708d3da90ed933fa848023f7db9ecaf7fc6ec7979cb05a5

memory/772-6-0x00000000026F0000-0x00000000026F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\zbShieldUtils.dll

MD5 c79e3df659cdee033a447a8f372760ce
SHA1 f402273e29a6fa39572163e4595e72bde3d9330a
SHA256 7d09715c4e0735a0832bf81d92d84600df1815a2ba451586bd25eb16f7c450a5
SHA512 490cc30ccfac209f1f5332ce4168b0dc849d7e4d86f3c198ddd23b39ddc950001928a1e071c2ace74c4710508265c0872adb02e3f068e521d28ed8b19ea36492

memory/1616-15-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/772-16-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/772-31-0x0000000006380000-0x000000000638F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\botva2.dll

MD5 67965a5957a61867d661f05ae1f4773e
SHA1 f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512 c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\RAV_Cross.png

MD5 cd09f361286d1ad2622ba8a57b7613bd
SHA1 4cd3e5d4063b3517a950b9d030841f51f3c5f1b1
SHA256 b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8
SHA512 f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\WebAdvisor.png

MD5 db6c259cd7b58f2f7a3cca0c38834d0e
SHA1 046fd119fe163298324ddcd47df62fa8abcae169
SHA256 494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2
SHA512 a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\Opera_new.png

MD5 b3a9a687108aa8afed729061f8381aba
SHA1 9b415d9c128a08f62c3aa9ba580d39256711519a
SHA256 194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb
SHA512 14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

memory/772-48-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/772-49-0x0000000006380000-0x000000000638F000-memory.dmp

memory/772-56-0x00000000026F0000-0x00000000026F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod0.exe

MD5 9ac5a5ebd1a3ada5872176a108588bac
SHA1 4383695ee6b406b8e9364676ca373d228126822b
SHA256 c8c21fc0c76f671114243bc800abae535e74e192c803965f31d03b34baf03fb4
SHA512 00cc133772930ba253bce4bad98b68b4e7dd31dd4774634591f3d6df253082714f438bf5189875a2eefc488cdfd933d4580910f4f4f8e23ab7641ba6ed2cc7a9

memory/5024-68-0x0000022857570000-0x0000022857578000-memory.dmp

memory/5024-69-0x0000022871FE0000-0x0000022872508000-memory.dmp

memory/5024-72-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/5024-73-0x0000022859290000-0x00000228592A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1.zip

MD5 312940bcb950b9f2ddad0f0402d981b8
SHA1 99350665254c29a45ff9cc076f0a9f2999b30c5e
SHA256 c6a0e9717f8404ba91e430a6c5b5afe07f0fa8d433681adbec0f40be8ddb19d8
SHA512 c2af657e76a79483fac0ab80cc1cf39c148739ff279610d54cf7744830743e23a6e9c67fe0f75bef917bb0c21e32b2b14bbcf22d06ee3f83aabc23445e188456

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\prod1_extract\saBSI.exe

MD5 bb7cf61c4e671ff05649bda83b85fa3d
SHA1 db3fdeaf7132448d2a31a5899832a20973677f19
SHA256 9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534
SHA512 63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

C:\Users\Admin\AppData\Local\Temp\is-M0H9T.tmp\finish.png

MD5 7afaf9e0e99fd80fa1023a77524f5587
SHA1 e20c9c27691810b388c73d2ca3e67e109c2b69b6
SHA256 760b70612bb9bd967c2d15a5133a50ccce8c0bd46a6464d76875298dcc45dea0
SHA512 a090626e7b7f67fb5aa207aae0cf65c3a27e1b85e22c9728eee7475bd9bb7375ca93baaecc662473f9a427b4f505d55f2c61ba36bda460e4e6947fe22eedb044

C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe

MD5 e97cf45574648067e47ee6ee8eaa7cb7
SHA1 ea1110ed502074bfb1f8303c0a3290a80231e7dc
SHA256 6b56a317f48e496f8ea9054148d0a1c53ebac59543b67726f8ffeca7c7711117
SHA512 9057f028270de57b7469bb780edecc5c8f09b437d6a31ee84f60da9694dce91fc2835ffbd9afc9cbf63b9bf318cfb5ea46a8b2ee943acdfca8fbfa7d139dd8fc

C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe

MD5 857f9ecdb0188a2e4ebfda0ee74578cb
SHA1 57674527a583fe14e6a5f47c2c890fd622a14305
SHA256 047acae07d8d793c3757d02d203727722eabea7cd5e9995cd0c3b4cdf4d6d67f
SHA512 95b8ac4d860feeac06e500aff848531ca549173995b6a20979f5e350a7ceba5701a967740249ba1702432a00f318b7c22120e152715a8659d000bb31d0487da2

memory/772-117-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nfljdmkq.exe

MD5 d93c6cf1b3f7408d9fe4f6d3deb44520
SHA1 037e7559be91da1e43dcd0e4e82a072bb84d333a
SHA256 adc1cd2d286584d8b027a35caca809eb2df7cc2ab68b68a3c94e8d697971c93b
SHA512 716a06d23b96240d0b834c8030db31162a6e825448d1d0af733bc31b8d2614ff6e10f72a36b9d1bed0324787247ed8f44a4ee09273c3e7d97505955ba73639eb

C:\Users\Admin\AppData\Local\Temp\nss580F.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/772-123-0x0000000006380000-0x000000000638F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe

MD5 fa38e88173b6b4d8573fa81960a7c006
SHA1 35965f16dc197e468abf34fe132a54f449d68138
SHA256 115503585af67ba594f7c6647a28c69d28147876113d9fb4891980ce9d240972
SHA512 08a3cdba520f429bf7318a27c219fec3fd38dad813492b3ae10f7bcb494b63861c7911a1827899cd2de1f57ca00bf53bb4963e8421094f5937e9f3e816a38819

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\RAVEndPointProtection-installer.exe

MD5 41a3c2a1777527a41ddd747072ee3efd
SHA1 44b70207d0883ec1848c3c65c57d8c14fd70e2c3
SHA256 8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365
SHA512 14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

memory/1808-182-0x00000163170B0000-0x0000016317138000-memory.dmp

memory/1808-185-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

MD5 80f3c875569bd7837aaba32c60c224fe
SHA1 4ea11bc080c5bf7e769f387dba6928221d92c1d0
SHA256 9c86792353998342672a8f701d94c8a6efde61f25c3de307703800ef4defd485
SHA512 4316d1864d128913b98d3c1b36da3f4e8f08168df13b3fd07493f6db621b3a20784b0fa8e04643ddc5d3191bc97772c6d173b13370763070e78780f184919568

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

MD5 2d024247a256345b0fc4f23b7e709813
SHA1 86face89ff21bf8f0ddfa1165e4fb83891000ed9
SHA256 bb950febe2d9eb19a9998a16149ef7f026ee15f43a6d7ec7d447bcfd3082c885
SHA512 d3477ee8b2bef0ee80cca7a65e922a8c85321a843f7afdd00cf4b024502673aa4de02a110a9b66448d39df8ece85366f4b3fcca8558781bf0ca2b8dbe17e8303

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

MD5 2869397e6c637995f221088e185c998d
SHA1 653c34273ddcdaeefbe5472b7056f7383e94aed9
SHA256 c4a59741b9c30f4f172d4ce37d19b30e3c1c830abb703e1ffe6ee7d01445b923
SHA512 a4274bccf994b6549fc5629ec76b6902ebcc7a046dd4977c8a2c14ea143a8c2e2a24eb3c6dcb600ac19156d49cb4a92733d1651505b22a85810bc4e40b3d6cf5

memory/1808-199-0x0000016317540000-0x0000016317580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\rsStubLib.dll

MD5 a16602aad0a611d228af718448ed7cbd
SHA1 ddd9b80306860ae0b126d3e834828091c3720ac5
SHA256 a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a
SHA512 305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

memory/1808-201-0x0000016317730000-0x0000016317760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\rsLogger.dll

MD5 83ad54079827e94479963ba4465a85d7
SHA1 d33efd0f5e59d1ef30c59d74772b4c43162dc6b7
SHA256 ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312
SHA512 c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

memory/1808-202-0x00000163326E0000-0x00000163326F0000-memory.dmp

memory/1808-203-0x0000016317500000-0x0000016317501000-memory.dmp

memory/1808-205-0x00000163325A0000-0x00000163325DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\rsJSON.dll

MD5 b17cc9c8dfa3ab21e72b35e4d87fc7a4
SHA1 c9d744633dba45bee070606d92d92dac3edab219
SHA256 aec8a193d0fa727e454146675248f6bce58068685ef400b8060a9fe186bcaf17
SHA512 32329aa8451c6efd40c8501d98437bccc91e1afcdb2ef4adc7233e44fbead5c8a266d2c4fa2b313bc934640ef725e5f2aad33ea31a75f8ba9f97897cbd341f2e

memory/1808-206-0x00000163174D0000-0x00000163174D1000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

MD5 78c1bd5aab90147072f8c0cde1916633
SHA1 57baba4af8051f758fa0b9fa1c0d538993e8ce3d
SHA256 b6f3a571e880e8be43df60b3ce0d6629a7d78d186536698eaa99be328de48579
SHA512 5c2d1e88d0fc94017dc4155f5ed8c5c19f89978b410b0350320de3dc1eecb24693a94ab8f62db262a45f1d4e226ca76ad5ec499b8540a73182bbf337333d2bf1

memory/1808-210-0x00000163325E0000-0x000001633260A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\rsAtom.dll

MD5 9deba7281d8eceefd760874434bd4e91
SHA1 553e6c86efdda04beacee98bcee48a0b0dba6e75
SHA256 02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9
SHA512 7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

memory/1808-211-0x00000163174E0000-0x00000163174E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\uninstall.ico

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1808-218-0x0000016332DC0000-0x0000016332E18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\Microsoft.Win32.TaskScheduler.dll

MD5 a09decc59b2c2f715563bb035ee4241e
SHA1 c84f5e2e0f71feef437cf173afeb13fe525a0fea
SHA256 6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149
SHA512 1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\rsSyncSvc.exe

MD5 d7bd74f09455e904e6b939bd522a7140
SHA1 099a4abe88d049dca58f941541f36041247298ac
SHA256 a7a7d35ba28467dabc70c68845da917ba1bf3d28ac16da3540293322f079dff0
SHA512 a29247d5fa03682e9b3812255b462602d8c1ece76bfddf4a7a375cc6e7d9defcbb9c942b1ef81198bfb5f41930e88713d027e972bce594c2a5b5a0998af65262

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

MD5 d6308ded03ec05341477fce5ea4dba46
SHA1 6a021aa4f8103e9cb67e1ab89548588bf3e8e6a5
SHA256 23763f9a691699317ed62c37ba2fdd325f1479757332e842f8c5a070d578aeeb
SHA512 9e73878fffc58fcf8d09fbd06cfeb865dc359a9d8ae789857de88a58c638ae529707f438f2cee1efa951b7278a1b769fcaa1f345126abfd19f64e00a33ec573e

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

MD5 ced6de3f4f4ca2ddb1458d6062430634
SHA1 e1242de1b3349c2fb04d15c32056ac719193af4f
SHA256 f6970327a687a1bafe6c877dcfcac820f5af500ba372d39c0714cb3d180c0cca
SHA512 48f04d279bf4022b4a9e6cfdf24e2174f014430c09ed42fdc2bd252cbdce6f7b88f7b379ffab6f82e67b0c5ed58809d11d644abfa18ec2da341312dcea4f25c0

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

MD5 2d315c7a63ee25bd3499b8e8fec2a21f
SHA1 d19c83e0c2883c8e8647a671175e2e86afba6105
SHA256 e6e0f5efa88473a7dbfbb5b6cf7b2a38e8c74082f894fafcf20bdd875e8a1980
SHA512 abbab571e91a168e918dd129fc45b4ae5e3aaa55e0d11bed8ee4d3f1662973ff593460710b91281221ad56965596c5d7c658b67414608238f73ce27dd35e2e8a

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

MD5 fd07bdd587d33775109e584251d155ee
SHA1 492ee257266402282fb9ffbe244b01fa4855deb1
SHA256 abe9256ba6b643042b21f0d73762872a587f8a98286ffb1a416f60fc351f7bac
SHA512 5a760175471f277f05b5646be1bae2c2c29d5116c58d492a588736d70532389dc562661952e8ce19e859646c41dbe8df6d395ec40a63ea32223f9bc32d65a200

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

MD5 7877cda986777144bb461d7af0913058
SHA1 51a7f5d4f4e1a232e29baae93357ba47af87d21f
SHA256 ba316d00564d9f66c4257dd46a8c02fe1b75588d18bc07f8257d84c1cf92dbb1
SHA512 c0ae0f99f8a367b345cfa3be411507b704a6f40dfcc23575569b3601ef23b953801cc10dcf3d645f916c893e0f9c8ff80d26c76b5c9db74ff4097fff75ae5f7a

C:\Program Files\McAfee\Temp3109378843\installer.exe

MD5 c93658ba8775d2adcea98887b98b98ac
SHA1 98931784b25a29b3528c6d3490ab0ccdadd79966
SHA256 ff7ed3a5b4f8271339714113608da2ea775601710296b0ddf046a750e5495713
SHA512 25f87e2e175a9c68db7035073acd8c77aaf563796f4eb0779f46e1f70bcc1919f072f417362e03722eff1d217207223037a0f9ff8a789e3630c168a910baf2fb

C:\Program Files\McAfee\Temp3109378843\installer.exe

MD5 f92ed856723847fdbac64af779db577b
SHA1 e6a19428c5477df6870938c65e918aea9d51787f
SHA256 9b4e9899159ed72358f1bbd1ccaff377e23f5e0b7fd4ab42b0464c6ccda84708
SHA512 821950a66624c820334e72ed15a6efa182daf401edba0be6658ff1263e5351dc8f8b64711c202a8b268698229585e120b3d389c4ff958f58a1b844d8707938d4

C:\Program Files\McAfee\Temp3109378843\analyticsmanager.cab

MD5 0bfceda95bb0dcf002c0873b93c265ba
SHA1 c45a48235ce2afc9a5d4f8ed22ea8bd4cd019e13
SHA256 a30507ea58eb823562b2dbe06ec059780d28251a98aac32dec9dc7a70342d5c2
SHA512 3be18c8b9057fa66043b0db5c31287e951128b1aecc141165f6aac5da74511850e4071f08317ea355d649aaa8848fee2e79aa1cbac0a230532d3bdd7d9307566

C:\Program Files\McAfee\Temp3109378843\analyticstelemetry.cab

MD5 f4f1873a7f68239272ecb3a92f1a128a
SHA1 288f5295325dc3986269b07f901aa186736bfa79
SHA256 3829fea320ad3c1aea101d47de31f93411114c2b4473fc75d11a809bdf1906c6
SHA512 4e195d038a83e8d7a0a52f9809c4ab2ece1f934220e0aaf143716bc35e8a8d682b101a42d218f00646a282bdf87cec73ef4211662ef56ca5caea691521fd8000

C:\Program Files\McAfee\Temp3109378843\browserhost.cab

MD5 6b4b0f1808561dee7e3b29385cec72a2
SHA1 2a826eec5afdc09945597b07837fd3c2fa6d86f7
SHA256 c6ccda08d0249e13e5d8b1f325e3c1a3fb5624c98a8dd1a29d0ee6bdeb0492dc
SHA512 51c75583937c1dc5a736e4ee52fa27e20b4ad5f733c958704bb7c1195fa1c3378b72757e0ae539d56695af5144344d54a7e3d927af4cd3a9b39bc52d865c5a33

memory/4648-381-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

C:\Program Files\McAfee\Temp3109378843\browserplugin.cab

MD5 baf18bcfa1e60a970517ca5d99ac0476
SHA1 2786510ed791137a30d1cdad1981c70e603e7a8e
SHA256 c8c0875e19ce26b8fd8c65628bf2fb1b03a0395da2abd1e30fb886a29715668a
SHA512 42476b59f6dba48b17d4c6d359c57e993438341c664634ad5f65cdc61b7a523c853a0d57a03d0d6eebdf86a3310a60d12326973bf7e089ee7cdd4aac6fb90c6a

C:\Program Files\McAfee\Temp3109378843\downloadscan.cab

MD5 3de6bebe3eef3beb52706ffff1fecfa7
SHA1 8b96891e153794705df63e0319eb49f481b55918
SHA256 fe45af4cb26b7501887075a2ade68a52c708a3725af9c877aa4b007c23106448
SHA512 ef21233b3020194bdae4e6ecd9c37cfaa5f78fd7e6f99c57d8bdf159d0345d21018ca33dc7f0755cadec9c3ae69f3a3abcb61e2d035b356895aa279e35f7328f

C:\Program Files\McAfee\Temp3109378843\eventmanager.cab

MD5 e443199a136f773cf7e81f15828b5cad
SHA1 d587e49bdfee9fd15a92ad0b560355366d013df1
SHA256 e2039c065ea075f62c9dc0f09e594a3cbc22077858e13c026959cf5bd73a2120
SHA512 a0ce6b1b3b66d4c6e47b0ca393a33fbfb72880c71db3a046d0b52f734710396b25416784d885e4b91087a35c36a068b3b15da1a3e03e3f8799ada7610551649d

C:\Program Files\McAfee\Temp3109378843\l10n.cab

MD5 4dd6e0dea85867a6e231a1e3a3e8a68b
SHA1 6d3e7e372ffb0fce9169274ec35671653e2740a7
SHA256 e92d75362c1a52bb9f5d25077e7f1efdf07900ba68d7abbd9d90e6f676db59bb
SHA512 0fc52ba287f3400231666982055154c6fd183ff7373aba79d9f89cdc26126df43f10e2ae84774e6fd2bdb0295450ab00e680230f9852f12220054d5ce6611ba4

C:\Program Files\McAfee\Temp3109378843\logicmodule.cab

MD5 b4976a59973f072a21c4ee6626760f86
SHA1 cbb4111d88dcd2ba0843c3c3e05b405e4304d886
SHA256 028622102fd05ab8cedf15d7c744eb2b4a21dc6740a2075fbb9131da188e8d36
SHA512 ccfb9b9ec045cb74edb46ba924485780715de756abf1a3ea2a8d62eff0584653d7edffaf566e4a4881eb97ce6b41d78d90be170c4f82235ae5f51d3581b7b2c7

C:\Program Files\McAfee\Temp3109378843\lookupmanager.cab

MD5 3d492a76fd736b8741d28fa615779137
SHA1 2c65dba06b4dd91c43987aebb7b993242e72fe67
SHA256 2d28a3971eb126f39614aa0042b85a4740f3420f96b3c371ff1aa7e63d71c276
SHA512 a8a4929cc6a4fbffe0c77be1dcb294e5839972a9bc036a6b1f1371b81297b6c33efefe93881b13f1e3260bdc5943d367c60467af1b22255d4791d2ff7720ad1d

C:\Program Files\McAfee\Temp3109378843\mfw-mwb.cab

MD5 bfc0cadcba91d927561d76bcf8b151c6
SHA1 1fb6ae9629aebcdd54308f72dd8bc43da29dfa5a
SHA256 3c83f0a109a619d1a95633d3832140b4988b787fb78ed11a7ec47f680577deed
SHA512 704278c3b0381a7080ef1cdb8641592a4b2715039388f582121750391989b625790dd307508f1b1e01b04cc11950350aa7b285a980455755b968e547a4d774dc

C:\Program Files\McAfee\Temp3109378843\mfw-webadvisor.cab

MD5 1a02e9e94a8f5e52b9df4e2306cf6171
SHA1 3ad500ba61d6b132cd03835417b5b95053ad3fb8
SHA256 a0e10a5cb10f52554305d5d2b49ff5bf6e3d75f63ac4ddf7526402c84e3acfe5
SHA512 13ca7e60f8339910fcb82766b10b891b8a53a4851e86e9f467fb6cef40e7874466883aa46f6b3532f0ba074441814c6687459cf305132d68e1ba199069c186f4

C:\Program Files\McAfee\Temp3109378843\mfw-nps.cab

MD5 754ec5710b8d2b0d08c2d4e49aeadaec
SHA1 088f9c3baf8c91b3677435c517930b0e33b008ae
SHA256 9778ed9ea19854a4312579c2e595d16f6c5c5645e4e8b91debe7fb582cf78573
SHA512 38db5777d535003cccaef7bebc2a87837a097b4eb725458e0f8b70fbd8854811981af66365bcb5bc3afa1f1f305af365b49926540d167c5001fcc4192e3bbba0

C:\Program Files\McAfee\Temp3109378843\logicscripts.cab

MD5 d55a19592f1160fed1f7f7ddff36cf21
SHA1 e19a058fa52f3c8635517ce7646fad181a28c015
SHA256 4549a4c73c3ca3898ee8443e28795effd85cddc87d57ac38c5087c53c14f056c
SHA512 70758593cd42aa8be9874cf196e229bb2824e28ef748f9e704c550dae57417299db66fb4965fd2afaa59a6d12d0b9477873bf449c2f2ae1d6e413c95ef77abcb

C:\Program Files\McAfee\Temp3109378843\mfw.cab

MD5 a64bb575ff72e6c81d3358d07325fe46
SHA1 03d49603bbb7a5b3d4b96453d20845f794bdb1b0
SHA256 bc48b292f67082e8515149ba81d3064359c09f5c646a7ee8e113940a6b812afd
SHA512 acf2a01d119e518a0de8dd419dd32e270b92a0c89d90428eaf6899d18959a1ea58891ff7ad95ccba14248b0d6a07d6e6f8d25ef7bd5889eb2e19eb0700267cf6

C:\Program Files\McAfee\Temp3109378843\resourcedll.cab

MD5 d452e574c6113a01b3a45d836a15a3b6
SHA1 ec6e41d57bd803347410fa5861e7521dbeec0a87
SHA256 e3e6908b669ab0503133ef8cca2834782dd174be9de67b7c01bff10f953c4855
SHA512 2775ccfa8bb146a1b27d57f330923b8a80fb932a7fc1b3fdcd9747d45fe84fab48cacf593cdb16e33500680c891c8b04d9daa16a7d33ed40b00891be68e7a959

C:\Program Files\McAfee\Temp3109378843\servicehost.cab

MD5 2c91564d2834024d02b0eecaa911d097
SHA1 d9fcc86142edb4c3e32886f82537675a89944dce
SHA256 dd65a1a4042505f4afc1d9a64d6e4bcceb707374137f519a7eb1ff8a96e91d53
SHA512 844ade18bee42800dae54d91dce34f126cc250a02b3e82d280ba5ec0d532b4d294b65ef000c520b8939ba932ebdaf818b2e5bf5c984bc933f048bd0935d77591

C:\Program Files\McAfee\Temp3109378843\settingmanager.cab

MD5 2f905ca3c2280f311291b8473ad9dc3b
SHA1 6436591640284bc6c0a40dbf56c7fd681c7a0a4f
SHA256 ef966366328768a62bb2db6f1a1847d740b2f071a907ced4dd6bce4bd284c123
SHA512 5c7e2c906ac9851b7e9750d8b1fa56990672e5b0f2f9ffdc645713a36fa105fb5e3454f2e6c441c04279fefcb54aa4a0bede732b4ea08372fcc7b8dbceba2b2f

C:\Program Files\McAfee\Temp3109378843\taskmanager.cab

MD5 1a1ebbf6357e65ce34357bd8d805fb4e
SHA1 b046e2421b6ffa94ce7c124a1364c3006089dcd0
SHA256 2343af8af1bc76f0eeb3a4dcedd49e2dbc02aae4280cf23139f165da51fc3768
SHA512 b045a69fe51dbbd91bcbc0d0cea161f7d1a55fba65d0c9feec5a3289626aee2e10ab0eaca68f1954f6328643f07c486b84c2911629edc514d60bdfc0b4c9a9dd

C:\Program Files\McAfee\Temp3109378843\telemetry.cab

MD5 575ad9c9e0831d7689544eddd1e4ac98
SHA1 23fdfa59bd8c51627679d2f1414174bd176aa194
SHA256 f0c76b1d6316039ec00b406f0a825a6d9e515d92d455b3760b9cc63f21898ec3
SHA512 afa269d2ac0e1d6d89e5d18060060759ff1a714672aa355b48473abf90230913dc3eb640e301718c66258bb7c03a478e5aaf720eb9405893e44368ea4a02d808

C:\Program Files\McAfee\Temp3109378843\uihost.cab

MD5 2af2f8116c801f60bd3f0483e1d4ac30
SHA1 ab182013bd0777ba349c44db88380b2979828075
SHA256 863121e04e271b5b2a8f5f81012264960c1787def8a1f3559fd3c93a55958922
SHA512 a2238ac226c855cce1b30fdc663e49a92120aa9bc4d9b9dfd04ed6a56cb3d8861f264606cf39963295b25a2eb568893353d946f5048bc822bfe171b0b907e057

C:\Program Files\McAfee\Temp3109378843\uimanager.cab

MD5 51b08cf78c85bc379fda4875241ace11
SHA1 e513eb7493570bfa2269488b089beffc2356bf88
SHA256 6e241b39b053719426ec4a0d49e90e90cb83d15fb9a4902dc48e8ed46a1ef9e2
SHA512 9c2c490d897dfe773003aa72f0f28ea85b4a9b645a1ddae2c7e462fd7ead097b4a3eb8bcaaee2d1db368952821f08e5620ba3c9dbdd34039274a220d8dd3b0c9

C:\Program Files\McAfee\Temp3109378843\uninstaller.cab

MD5 9ad2750ad661aed537d3130c48ff9443
SHA1 7dd2e9a485d2eb8429aa4c19c5750e355cff54bc
SHA256 ddbec582eaca88bd2afca9d67e08840107dee47bee732cc91a94d8bf2b14fb13
SHA512 d6d5459eeb2b34194ddd8451278b05352d72ec2598f46aef6c23af071afb927d8e538b940390eec0ebdd6b76f874e1641e8c2f8c23ea534aa0814d3da0647b60

C:\Program Files\McAfee\Temp3109378843\updater.cab

MD5 9082a377ed71f46458d59af5d68d6677
SHA1 3dcd11a82cbaf79ca3029a0674e9f4651c599764
SHA256 8c6274ba02344251a53e0e24d052baedf80388e83db8e3e6b4309cfd8315babf
SHA512 e1d1cefb8374f64152597069535d3e58c951ee8e76311e42a8fd8d00d99a26e490a939f933c519aeadb5f9f954442fc341535256c96d5d6906cb91e366489877

C:\Program Files\McAfee\Temp3109378843\wataskmanager.cab

MD5 9aa2c259af8ddbeb7901ed094a29cdfe
SHA1 6ee4e6bec9a884a2a2f84d465eefc7549d5acecc
SHA256 697dcfe764b35a4caeb2bd6053b5d526550956f8ef11667341f321c44ccbb06d
SHA512 c05cfc81713540cf6f3c0bcd85f26232e12c50fb08385c729de7e4de6688f0e40e78a9f7a6f2b20a5ef9d1cfe2e787c6f7d2a69ba39786d113eebf1aaa75b02f

C:\Program Files\McAfee\Temp3109378843\webadvisor.cab

MD5 c9ffb55425fe109c6b3a6af2311fa6d7
SHA1 e14f14534a589a6a56a73f61a80b3d7346f1bbc5
SHA256 eff6add8271a4051979fd858d19b696e95bf8081f075c1f4b710f484f7b79634
SHA512 27c58deeb4acc4aac394d269517089c2778c2fb78fd71895b3b9d259fbf421a00c2f3c6073a7c55bd8bf60b08482d0f30722d593d79e61f714747cffee4842f4

memory/4648-407-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

memory/4648-408-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

memory/4648-406-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

C:\Program Files\McAfee\Temp3109378843\wssdep.cab

MD5 b6ba714b8579238b554de3ab4226ae48
SHA1 780547dcd42610153830814d3f54a1ed5510cdc7
SHA256 8a3d90b7cb5d2ee9b2575a8ba2604b1eb0a276187e6cdd9dc44d4a2f91b5130b
SHA512 bdbadf8e7782a6f7b64d9761bbf61ca16ac9d6a737f1d371c62e4ae6ce31f6122957332bcd24568cdaa99efbc4d38c1483bc163c36ce83e0ddfc56c9526f20bc

memory/4648-409-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

memory/4648-453-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-414-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-460-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-462-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-464-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-479-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-511-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-535-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-531-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-520-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-552-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-549-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-558-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-555-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-553-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-568-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-604-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-649-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-656-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-694-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-690-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-675-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-700-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-673-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-720-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-716-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-724-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-728-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-732-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-740-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-742-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-735-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll

MD5 652ae29251e9a1017cf1ae8957bfc1ad
SHA1 860e2b6c10eb8f2f2476cfcca4c8efccbce6186f
SHA256 0532d4bb245eca0e6436849a90f672dd639e9547de721036d0a93ab1f7476f3d
SHA512 dd4051f2b037f00e97103164d330ef4d563fe24d8e4c6d7ee00918d5b4d56b3dde3a7d010757953bea01bf266a275d77d4c82e18bc144718e8e7ade78185dd74

memory/4648-750-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-630-0x00007FF7064C0000-0x00007FF7064D0000-memory.dmp

memory/4648-598-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-589-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

MD5 410309c9c2a76857b2fb0acfab2c91df
SHA1 072dcfc550b7bbaa6a03b479b408bfc57baedd16
SHA256 d79f4b0c2f3340920cc2935a9a8aba41115ca0f700bf338fa696797ed6d3741f
SHA512 7c660d5090b9e78bc0f53530ef951e9715a65e33b62fb74b7d09f34cd8db8d54beee8a53725eb6dbc46c29bc5d4d8c4799e069220b939c85914d92f9f7384f26

memory/4648-793-0x00007FF71DFC0000-0x00007FF71DFD0000-memory.dmp

memory/4648-788-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-824-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-836-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/4648-950-0x00007FF6B99F0000-0x00007FF6B9A00000-memory.dmp

memory/5024-1272-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/4648-1271-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

memory/4648-1274-0x00007FF71CB80000-0x00007FF71CB90000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll

MD5 c883dc1a69f18f827df9ba0cbc271fa7
SHA1 e1d4154314c3ee5b52215b31187c21ac3e36905c
SHA256 ebf82f035b5d06f9a7df7dad4f842a25c7d1b794beb4227382d50b56600b14d3
SHA512 49f870e2f8ad1d735cf3acaa3c6e792d98c945625a6f25695e6d5b3aec95a48490a35693fc5f99912f6a9cf6b89aef738419c2a67781d475529251379739d5ac

C:\Program Files\McAfee\WebAdvisor\win32\downloadscan.dll

MD5 94d983fcde6af8b6533a2603fac8c37a
SHA1 d2d1a87a7931c94b301cfbc5421a100b927bafc3
SHA256 f02ea0227ddd6428ad48f40262a234d4ef303922ee4d82e3f49e371a437b1c89
SHA512 bac09f0d2039e194491ffca2e9c7340b3c5eaf89f921444068e88ac95b40816f5aa60871e255ecef59c03f9bae88904498506a2b8de1ca3f556475b873f85a50

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

MD5 09100ae5b6b6919f55ec99fa172a553f
SHA1 9ff307577056d129a06cd5555726ed5eaf830cb0
SHA256 74659562bb26ecb3c22bc9b4d515cbd24c3475801c51216dbc829214822e3129
SHA512 2aa0199db66269a2a34e79e432d88f14939f3e5fa848da0636290f9d1668deb00eacf895b495d9df0afb4023f359f7d1000822bacf3cb3feaf3af79ebcb32d20

C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

MD5 cc0711fd2484557ff02e53ffad1bc61c
SHA1 33e597f4318ee4984616463bf16a1b0c6853b53c
SHA256 db1ded3796ef098623b5a868f49c6abb08b31740302de8a74c684cd6d1bf4e12
SHA512 767442b783b2497718baba6faa88c7d25097eab5aadfbf66c1441e6410c66611a3b7e325e8307415a38f2fff81a6a3322446647ecb24bb20ed92ec0a65100456

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 39441cea8e8a72b0ea3e4a447bdcc68c
SHA1 0a4c743ca91c1296a91ba4478249e72b28e00b46
SHA256 a605b62e1fe00b99b31c8d50710e63160fb4a238e2dc1b1b4517cf3c7fd1cc80
SHA512 18e2b3651336abb74b7d0c51931143cdb737af59ec1829f075405428139429634d0a4cc99383688359d4a5cc78fa9699b5fc21613addc66396ee101bdc8c2385

memory/5024-1759-0x0000022859290000-0x00000228592A0000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 e10a4f830709d70820c1ee18216b3724
SHA1 edc61a6f7e27a0102eba6e60c948569594ec39d9
SHA256 360edb987178c764f83e14631bdb006719113c95956ca37da66a5d30de962521
SHA512 7ed72b80456b42b472d8058b57eb63060dd149d98ff44797ac00baf0c7ec48c8095c225ff1f627b7b83db9118097c0d3ab3acd4693a5894d96c7f6395b5a649d

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 ca858e2dae63cda96ab514bc83da5517
SHA1 d9d269c29346aaeaf47b0f703834f684ac141e04
SHA256 77c9e87942338acb6d93ecd2b0312e3bf59d77f20f1cb6632e890cba044f7787
SHA512 deb51ababc8f8d17ce0b852154610625f169565e28a7720f70f767688bf0cb6e86aad51f4dccdcccdcd36d98246c417cb2722312127c08fc95a0f6ed08036961

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 d05ad1ceb68bcaf37ea38c0ceb5f4809
SHA1 ca4222de70944d420da82100c09511df987b066b
SHA256 c242f8bde09411ee9036a13b0365d1371ab924d448199e72bef2d4b1a8528926
SHA512 b4d32db01cdc083950afdbe0ef95282b058b91ac539259e14363a4605ba70d2a3ef7bcb0561cd696e5416b62b64c97a9cf09a206049e1d8cbc5a1dae32edb915

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 f2f3930d3f8b76171f815c5b871d2769
SHA1 9df00d003302671aa880e6798ab75cf49405b106
SHA256 0324ce74ddfc6ae295040db11e8f58d9f5d0d9e18ffb62e3a01fbe225dd8cc62
SHA512 988e630993f14b39409180edf25afa46e0577dcbb9b476418337e8a6f8ce0ab3f539da8da866eac8a69386c6174ab21977bcb3b1029e0631355f883c89059a49

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 eb105c0885ee2e4b9e2734f6f7284019
SHA1 327479f7820d19e6c236dc11f8707efd0d6bf6e2
SHA256 350bf925609830e683e5007dbe8feb4000a0c32a2b991798dc6b84608a2a8e89
SHA512 7e6805c2aabb1b1b8768eaf2c816dadbe78878249ea66eb89dd595fd9119ed0f8926213aa51028337fd1674aee532de301877458b5c7d9c0a2271c32a48ac611

memory/1808-2121-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/2240-2201-0x00000000060C0000-0x00000000060D0000-memory.dmp

memory/1808-2295-0x00000163326E0000-0x00000163326F0000-memory.dmp

memory/1616-2309-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 09dad97d4145ac5469c3df3d1f60471c
SHA1 a91b6bc1d498f2269f08a4d63b8d03113cbcc3e0
SHA256 29371abcf95f7cc8b90dd988aa20f744ea4f40e80180cbd110b1c6e6e8cdb5ab
SHA512 177f279dcbcbd92c588cce82a15d9b7662d3a60eb612bb5220a524bf8d268e968a139ca04bff1e87766aa60c35692aed3145ef941d7a997679389bfba8ffbf90

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 7ecc0ae448d12474e7a54a43c9a4e435
SHA1 f306b97cedf20ca17e4d120d247e03901c1e11a4
SHA256 9fa69ce76dcf803abbb46cc8991ef856b16a8daade0d4d16f0a52db4083d5b14
SHA512 e8030f7c6a05e6a82bb2a145972c3fa91ee3a0286e343365179e2db9fd34821552baef09fdca6b53ae71e1680f4ef3dd291e33c4389f554ada048df2db749c03

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 aae65c65481132710bbabdf95463134a
SHA1 57a871669a270f0e5e4adca8633e0aaa2b07f249
SHA256 893344f042e14b8b06f0cca33810213e06e61bf89cc4a02b460e3a7631c553b7
SHA512 87bce9cce88b81578fe2a15d8f1899816127f1b10e68130060eb1a22c7e8bc7677c3a7a3875887fe2f62cca63ebf05da28881df7405a5be483175c47a2277b38

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 25abcfce1cf75d55d09874d603ba4d70
SHA1 8bb94db58dd2ba8addf738b8afe40ab6e1f05a8c
SHA256 3ca28f5bc60e25e6e61afc66fa6d20c6ac3cd3f84ddd4c021a9f8b2909f52813
SHA512 0269545bf15d2a0c3c89ffae57ed177c69366db67119cf8d0d16de7eb70c098fb8b4cc54662db5bdef065f4a7f090b1f7b335b27bb57a2e807babc666f0640e7

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 8a087a33a65306989ca394a9685f0ff5
SHA1 a281dcca1957b4ced05834f9cb1872d112b0c411
SHA256 b03ff7005464abd35490b96e3d93b53f909bd8888f089701d85f861ad498420a
SHA512 2cfd3e58733e960b6e9200ad31a79b6fe2f6e194dcffd8fa18c75102309fa2c7127f10f5dcaf8ce536b871133dd4bcbc891c17212bf577efba574185599b30a7

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 3b84cc4a0460c1bd403c4067350fc69c
SHA1 656770d1c37e143b76c150706c98e43f41e6c86c
SHA256 efd8a43905eebd1ec1cef5cb912a436701ad8e4d43e1f76970c5f1c83982987a
SHA512 1907d9f13ecb137fb021391ecfe65a231e68308332df544a3f6c13a6be953ab9711b983704aa3ee07826c7720a76bd07ba82070e681548298d166a19754e4bb8

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 d402ca161f9047ba9e4047496edc491c
SHA1 37f69c2de4c442488f4084ccce26b26ae8f23a6c
SHA256 0c17047bf5f7ad5686214c8044c459673edd5f3e2a3e418782ba5cdd8f97cecf
SHA512 5bff1a4fbfaf2504836e803b2a9a460625c26383e36d63590aafc3a937e669725dae5dcff007f269ae405ad81abd1f306c96115e58dba934b2770c6d40f21e40

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 f1d5c1053f1efc2201300c1b7f730f6f
SHA1 330361ddd40c41349e5478684871601cb9ebc886
SHA256 06970532b156584c403766c4c6d6769f13d4b0e3f35633873c3aa8c3aa6d1fce
SHA512 dedf3843a565d60c20d1611ec71b1cace2125cedc2a366feafffed4a12889575863ae21f6a7c11e5e979d300fbccc0172d703a47b8d8149f4eaefb7bedcaa558

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 d0098b446cfd5e7320dab7acf2b28804
SHA1 f108ebb75b1e107f0a44219a0ff11e9c51b9f0d3
SHA256 01cecbe3c9df25343f01e096db35d6727f784fda9ee1b598d3b9caa8159ec074
SHA512 a6389168892e255c16d8fcc14872f805ff5e49b550840c119c025a9a22f406649a2f70e067fbe4a9e3ddb65ada5f707827c0f2ee6bb956320384849a528a3434

memory/1808-2842-0x0000016332AB0000-0x0000016332B00000-memory.dmp

memory/1808-3449-0x00000163326C0000-0x00000163326C1000-memory.dmp

memory/1808-3466-0x0000016332B00000-0x0000016332B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\7e88a549\b908e69c_6467da01\rsJSON.DLL

MD5 1f2c8961bcf9a47e491e3163e69fd8d7
SHA1 d1afdf1c05c41c6a4373e6b078519150d6681193
SHA256 3e3b1c6ccdb7fe88fb194c93a3780fc8791d824456b03fda798df7c7dfdd19e8
SHA512 f1b0083734d632429ce2142b2cc5176766fdee17b44a3aeca921a403ef11fda13257f33bfae8c595672508a702c724d638b0e54dee9db4d5283f8e5d4e562cc9

memory/1808-3484-0x0000016332A40000-0x0000016332A41000-memory.dmp

memory/1808-3498-0x0000016332B80000-0x0000016332BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\fddbbf99\2257e69c_6467da01\rsLogger.DLL

MD5 40c1ebdaaad9cafbb5d0a6b44d9d5ed3
SHA1 eed474d761bad1c5b4f034583e977891fbf1d2d0
SHA256 97b1d1cba72fe3f8ea3213818e60be29f9b821faed6de08b0364e4c4faaba673
SHA512 15255d7458c19b940bb47db3e18003310b4ccd784d65a5beb41efa15dc9372e3711d33763c2e71ad85a1260e87fc8a2af27acdfa20b30662c237eb2c4d80a03b

memory/1808-3519-0x00000163326D0000-0x00000163326D1000-memory.dmp

memory/1808-3550-0x0000016332BE0000-0x0000016332C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\9951e96b\cb63d79c_6467da01\rsAtom.DLL

MD5 6a2b63ae38acdb4f61deb62f46f4369e
SHA1 d4747d8a07da4b3ff816cf1cfe9145a4a346e461
SHA256 357168503a29efb026299edf75244e7d351fc242c395ee287c8bbb921e3985bb
SHA512 3de45dbe81adbfc7924c01f7d6edd2f1cd55f3f61cb7966f7161d9f9c0158e194fd54b8ac34f03c5238ef50425ebe458e2635d28d63417fbc539c37fa74d7c92

memory/1808-3578-0x0000016332A30000-0x0000016332A31000-memory.dmp

memory/1808-3579-0x00000163326E0000-0x00000163326F0000-memory.dmp

memory/1808-3630-0x0000016332CC0000-0x0000016332CEE000-memory.dmp

C:\ProgramData\EPPBackup\rsEngine.config.backup

MD5 f64fac48dc7930a27d6c6cd47600edae
SHA1 9fe7d5aaecc51e29599adfc8e50c05642084c924
SHA256 028d66176c993fd94178b82a5bbc954837f333a64db626cebc72e7ea8fa817e8
SHA512 19ff3c2b0348fe232bf6d4dbc6caa0a94f0fb223c2686fff85c0a0b914497c577bf9f274c37eafcd5437bcf9f88d1ea5ed0488bae60ee6fe6bdc643bbb4b8554

C:\Users\Admin\AppData\Local\Temp\nsn583F.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\e91c3c79\d7cbe69c_6467da01\rsServiceController.DLL

MD5 76ce8938c606231d04dee716cd8821bb
SHA1 aa1875e39cb644e399afb00cbda3579b53b41e1d
SHA256 c551260bb657c15f87cfc5b001b5570a45a1c7279928032de6e5902705410c7b
SHA512 92b8e397beb759674a96589e1fc385f9671a7ce3a538ab565da2198eab4d2e05dcc3c5eedf98b9a2214a296e502b2fe16ea196f5aafa77b816e209b431e9199f

memory/1808-3650-0x0000016332A50000-0x0000016332A51000-memory.dmp

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/224-3785-0x000001EED1600000-0x000001EED162E000-memory.dmp

memory/224-3791-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/224-3797-0x000001EEEBA50000-0x000001EEEBA60000-memory.dmp

memory/224-3803-0x000001EED3180000-0x000001EED3181000-memory.dmp

memory/224-3804-0x000001EED1600000-0x000001EED162E000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 1264314190d1e81276dde796c5a3537c
SHA1 ab1c69efd9358b161ec31d7701d26c39ee708d57
SHA256 8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5
SHA512 a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

memory/224-3832-0x000001EEEB9C0000-0x000001EEEB9D2000-memory.dmp

memory/224-3837-0x000001EEEBA60000-0x000001EEEBA9C000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/224-3913-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/4904-3929-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/4904-3975-0x000001BFB9490000-0x000001BFB97F6000-memory.dmp

memory/4904-3982-0x000001BFA03C0000-0x000001BFA03C1000-memory.dmp

memory/4904-3981-0x000001BFB9280000-0x000001BFB9290000-memory.dmp

memory/4904-3993-0x000001BFB9800000-0x000001BFB997C000-memory.dmp

memory/4904-3995-0x000001BFA08F0000-0x000001BFA0912000-memory.dmp

memory/4904-3994-0x000001BFA08A0000-0x000001BFA08BA000-memory.dmp

memory/4604-4022-0x000001DDD8D20000-0x000001DDD8D72000-memory.dmp

memory/4604-4028-0x00007FFD0A720000-0x00007FFD0B1E1000-memory.dmp

memory/4604-4034-0x000001DDF34D0000-0x000001DDF34E0000-memory.dmp

memory/4604-4035-0x000001DDD9110000-0x000001DDD9111000-memory.dmp

memory/4604-4041-0x000001DDD9180000-0x000001DDD91A6000-memory.dmp

memory/4604-4047-0x000001DDD9150000-0x000001DDD9151000-memory.dmp

memory/4604-4053-0x000001DDF3380000-0x000001DDF33D4000-memory.dmp

memory/4604-4069-0x000001DDD9170000-0x000001DDD9171000-memory.dmp

memory/4604-4085-0x000001DDD8D20000-0x000001DDD8D72000-memory.dmp

memory/4604-4095-0x000001DDDAAC0000-0x000001DDDAAF2000-memory.dmp

memory/4604-4111-0x000001DDF3B00000-0x000001DDF4118000-memory.dmp

memory/4604-4179-0x000001DDF4120000-0x000001DDF4340000-memory.dmp

memory/1808-4200-0x00000163326E0000-0x00000163326F0000-memory.dmp

memory/4604-4203-0x000001DDDAC30000-0x000001DDDAC31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\q0psexkw.exe

MD5 0602d0da3df01b8221dbef0e56d391f4
SHA1 aba6f2a78532c4b8eb51bc30f4ead8b98839e585
SHA256 eba277373e7dd5c41c44e80419f398467cc1a92a49fb5536489b09c8a216ba68
SHA512 bd4e87fef00896e03543e42c3027afe186d665a4242cf8bbe9a1de756eb3982624290f8ad63ef31832009069775536122dfa4b4f11e82d6acf21ef704073f597

C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

MD5 babb847fc7125748264243a0a5dd9158
SHA1 78430deab4dfd87b398d549baf8e94e8e0dd734e
SHA256 bd331dd781d8aed921b0be562ddec309400f0f4731d0fd0b0e8c33b0584650cd
SHA512 2a452da179298555c6f661cb0446a3ec2357a99281acae6f1dbe0cc883da0c2f4b1157affb31c12ec4f6f476075f3cac975ec6e3a29af46d2e9f4afbd09c8755

C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

MD5 96cbdd0c761ad32e9d5822743665fe27
SHA1 c0a914d4aa6729fb8206220f84695d2f8f3a82ce
SHA256 cc3f60b37fec578938ee12f11a6357c45e5a97bd3bccdeb8e5efb90b1649a50b
SHA512 4dde7e5fb64ee253e07a40aaf8cbc4ddaaeeeafc6aeb33e96bc76c8110f26e2c3809a47266cb7503cbc981c6cb895f3eaae8743d07d6434997684e8d6a3d8eb0

C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

MD5 4d7d8dc78eed50395016b872bb421fc4
SHA1 e546044133dfdc426fd4901e80cf0dea1d1d7ab7
SHA256 b20d4193fdf0fe9df463c9573791b9b8a79056812bb1bba2db1cf00dd2df4719
SHA512 6c0991c3902645a513bdee7288ad30c34e33fca69e2f2f45c07711f7b2fdc341336d6f07652e0d9e40fbac39c35940eda0715e19ef9dfa552a46e09e23f56fdf

C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\325aeb5d\c638a3b4_6467da01\rsJSON.DLL

MD5 8528610b4650860d253ad1d5854597cb
SHA1 def3dc107616a2fe332cbd2bf5c8ce713e0e76a1
SHA256 727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4
SHA512 dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\1edd76dd\c638a3b4_6467da01\rsLogger.DLL

MD5 148dc2ce0edbf59f10ca54ef105354c3
SHA1 153457a9247c98a50d08ca89fad177090249d358
SHA256 efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4
SHA512 10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\6a3895ac\1d129cb4_6467da01\rsAtom.DLL

MD5 3ae6f007b30db9507cc775122f9fc1d7
SHA1 ada34eebb84a83964e2d484e8b447dca8214e8b7
SHA256 892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507
SHA512 5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

C:\Program Files\ReasonLabs\VPN\rsEngine.config

MD5 04be4fc4d204aaad225849c5ab422a95
SHA1 37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91
SHA256 6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446
SHA512 4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

C:\Users\Admin\AppData\Local\Temp\nsz72D7.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\c02e12a2\c638a3b4_6467da01\rsServiceController.DLL

MD5 8e10c436653b3354707e3e1d8f1d3ca0
SHA1 25027e364ff242cf39de1d93fad86967b9fe55d8
SHA256 2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53
SHA512 9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

MD5 5f2d345efb0c3d39c0fde00cf8c78b55
SHA1 12acf8cc19178ce63ac8628d07c4ff4046b2264c
SHA256 bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97
SHA512 d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallState

MD5 362ce475f5d1e84641bad999c16727a0
SHA1 6b613c73acb58d259c6379bd820cca6f785cc812
SHA256 1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA512 7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

MD5 d13bddae18c3ee69e044ccf845e92116
SHA1 31129f1e8074a4259f38641d4f74f02ca980ec60
SHA256 1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0
SHA512 70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

MD5 10a8f2f82452e5aaf2484d7230ec5758
SHA1 1bf814ddace7c3915547c2085f14e361bbd91959
SHA256 97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b
SHA512 6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

MD5 afb68bc4ae0b7040878a0b0c2a5177de
SHA1 ed4cac2f19b504a8fe27ad05805dd03aa552654e
SHA256 76e6f11076cc48eb453abbdbd616c1c46f280d2b4c521c906adf12bb3129067b
SHA512 ebc4c1f2da977d359791859495f9e37b05491e47d39e88a001cb6f2b7b1836b1470b6904c026142c2b1b4fe835560017641d6810a7e8a5c89766e55dd26e8c43