hxxps://d1vdn3r1396bak[.]cloudfront[.]net/installer/73565317/067549326

Analysis

max time kernel
1800s
max time network
1692s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25/02/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d1vdn3r1396bak.cloudfront.net/installer/73565317/067549326

Score

8^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 24 IoCs

pid	Process
3556	CheatEngine75.exe
2764	CheatEngine75.tmp
2308	saBSI.exe
972	installer.exe
4116	CheatEngine75.tmp
4332	saBSI.exe
424	_setup64.tmp
3328	Kernelmoduleunloader.exe
3160	windowsrepair.exe
4152	CheatEngine75.exe
2364	CheatEngine75.tmp
4464	installer.exe
972	installer.exe
2744	ServiceHost.exe
5620	CheatEngine75.exe
5656	CheatEngine75.tmp
5904	CheatEngine75.exe
5944	CheatEngine75.tmp
3796	_setup64.tmp
1060	Kernelmoduleunloader.exe
2976	windowsrepair.exe
2104	Cheat Engine.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
1548	Tutorial-x86_64.exe

Loads dropped DLL 19 IoCs

pid	Process
2764	CheatEngine75.tmp
2364	CheatEngine75.tmp
4380	regsvr32.exe
1452	regsvr32.exe
3460	regsvr32.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
5656	CheatEngine75.tmp
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe
5536	cheatengine-x86_64-SSE4-AVX2.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3096	icacls.exe
3376	icacls.exe
5248	icacls.exe
5320	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks for any installed AV software in registry 1 TTPs 12 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1681664450-2645008397-319333953-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\profapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\cfgmgr32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\WINMMBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\powrprof.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hr-HR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\wa-ui-install.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-K7TKM.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-QVNM7.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\tcc\is-4TDQC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-MV969.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\allochook-i386.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_onboarding\edge-ext-toast.css	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\mcafee_pc_install_icon2.png	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-1LM7M.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\sqlite3.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ch-store-overlay-ui.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\jslang\wa-res-shared-fr-CA.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64-linux.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp4169399925\jslang\eula-pt-BR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\switch_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\taskmanager.dll	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\wa-install.css	installer.exe
File created	C:\Program Files\McAfee\Temp4169399925\jslang\eula-zh-TW.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\browserhost.exe	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-C6CO8.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticstelemetryhandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\domainnavigatedcounter.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\jslang\eula-ja-JP.txt	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc32-32.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-HOLGT.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-SREHR.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\sys\is-M0S7F.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp4169399925\jslang\wa-res-install-hu-HU.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\jslang\eula-fr-FR.txt	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\wsock32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64-linux.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-TC572.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-pt-PT.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-D5M8S.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\installer_background.png	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\wa_install_check.png	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-R82KA.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-IRNII.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\unins000.dat	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-pt-BR.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-RGCRB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-2LF14.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-K2MBK.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-L3ISL.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\updater.exe	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\taskmanager.cab	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-1JEGI.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\powrprof.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-ORLDN.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp4169399925\telemetry.cab	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp4169399925\servicehost.cab	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\OnDemandConnRouteHelper.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\Temp4169399925\jslang\wa-res-shared-pt-BR.js	installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2304	sc.exe
4712	sc.exe
6104	sc.exe
1584	sc.exe
5108	sc.exe
1016	sc.exe
4604	sc.exe
4964	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4344	2764	WerFault.exe	90
2848	2764	WerFault.exe	90
5576	5656	WerFault.exe	140
1208	5656	WerFault.exe	140

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133533279902786476"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Runs net.exe

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	59	Cheat Engine 7.5 : luascript-CEVersionCheck
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	42	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2764	CheatEngine75.tmp
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
2308	saBSI.exe
4116	CheatEngine75.tmp
4116	CheatEngine75.tmp
4332	saBSI.exe
4332	saBSI.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
2744	ServiceHost.exe
5508	chrome.exe
5508	chrome.exe
5508	chrome.exe
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp
5656	CheatEngine75.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4252	4764	chrome.exe	72
PID 4764 wrote to memory of 4252	4764	chrome.exe	72
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 3752	4764	chrome.exe	74
PID 4764 wrote to memory of 4600	4764	chrome.exe	75
PID 4764 wrote to memory of 4600	4764	chrome.exe	75
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76
PID 4764 wrote to memory of 4212	4764	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://d1vdn3r1396bak.cloudfront.net/installer/73565317/067549326
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa1de49758,0x7ffa1de49768,0x7ffa1de49778
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:2
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2836 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5164 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Users\Admin\Downloads\CheatEngine75.exe
  "C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\is-4SH14.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4SH14.tmp\CheatEngine75.tmp" /SL5="$6026C,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\prod1_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=NL
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2308
    - - C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=NL /no_self_update
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
      - C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
        
        "C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4464
        
        C:\Program Files\McAfee\Temp4169399925\installer.exe
        
        "C:\Program Files\McAfee\Temp4169399925\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:972
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
        8⤵
        Launches sc.exe
        
        PID:4604
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        9⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
        8⤵
        Launches sc.exe
        
        PID:4964
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        8⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
        8⤵
        Launches sc.exe
        
        PID:2304
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        9⤵
        Loads dropped DLL
        
        PID:3460
        
        C:\Windows\SYSTEM32\sc.exe
        
        sc.exe start "McAfee WebAdvisor"
        8⤵
        Launches sc.exe
        
        PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CheatEngine75.exe
      "C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\is-QBP3S.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QBP3S.tmp\CheatEngine75.tmp" /SL5="$702E0,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        6⤵
        
        PID:4400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        7⤵
        
        PID:2744
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        6⤵
        
        PID:432
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        7⤵
        
        PID:2264
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        6⤵
        Launches sc.exe
        
        PID:5108
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        6⤵
        Launches sc.exe
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\is-MCI4K.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3C8
        6⤵
        Executes dropped EXE
        
        PID:424
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:3096
      - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        6⤵
        Executes dropped EXE
        
        PID:3328
      - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        6⤵
        Executes dropped EXE
        
        PID:3160
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 868
      4⤵
      Program crash
      PID:4344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 868
      4⤵
      Program crash
      PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4488 --field-trial-handle=1784,i,11247388732826248708,12304001304063464749,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2316

C:\Users\Admin\Downloads\CheatEngine75.exe
"C:\Users\Admin\Downloads\CheatEngine75.exe"
1⤵
- Executes dropped EXE
PID:4152
- C:\Users\Admin\AppData\Local\Temp\is-QLDS1.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QLDS1.tmp\CheatEngine75.tmp" /SL5="$40342,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2364

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Users\Admin\Downloads\CheatEngine75.exe
"C:\Users\Admin\Downloads\CheatEngine75.exe"
1⤵
- Executes dropped EXE
PID:5620
- C:\Users\Admin\AppData\Local\Temp\is-GM7HO.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GM7HO.tmp\CheatEngine75.tmp" /SL5="$7026C,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\is-O351J.tmp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\is-O351J.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
    3⤵
    - Executes dropped EXE
    PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\is-QBKHE.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QBKHE.tmp\CheatEngine75.tmp" /SL5="$2032E,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-O351J.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      PID:5944
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        5⤵
        
        PID:5984
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        6⤵
        
        PID:6028
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        5⤵
        
        PID:6044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        6⤵
        
        PID:6088
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        5⤵
        Launches sc.exe
        
        PID:6104
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        5⤵
        Launches sc.exe
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\is-1GBE1.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3C8
        5⤵
        Executes dropped EXE
        
        PID:3796
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:5248
    - - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        5⤵
        Executes dropped EXE
        
        PID:1060
    - - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        5⤵
        Executes dropped EXE
        
        PID:2976
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:5320
- - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
    "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
    3⤵
    - Executes dropped EXE
    PID:2104
  - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
      "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:5536
    - - C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe
        
        "C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe"
        5⤵
        Executes dropped EXE
        
        PID:1548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 1780
    3⤵
    - Program crash
    PID:5576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 1780
    3⤵
    - Program crash
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\CheatEngine.chm

Filesize
299KB

MD5
bb80fec3b6e843b61859914480706cd9

SHA1
0ced874bee5bda6059b5195911aa117693d9d2de

SHA256
2d52f9d59211f8906ace16525721b1400343bdf720f062cf111d84089f129009

SHA512
78d8a024dabd111b59beea4dc21150c7fbb3a6924201d2f3ff9e720e4bbc967bbff285ba2064bc35c260ffde433c639fdc0252c47ae29b43398117eda21cf648

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\addtonewgroup.lua

Filesize
1KB

MD5
3e20f1013fb48a67fe59bede7b8e341b

SHA1
8c8a4cb49c3b29db2c47f84aafd0416101722bfe

SHA256
96e4429192f9ab26f8bf9f9429f36b388aa69c3624781c61ea6df7e1bca9b49b

SHA512
99cf3f88c8b06da0dbe8085dee796bec7a9533990a55fbce7524a4f941b5ecf0e8ec975a4b032eb2aaabd116c0804995a75036c98a5e4058f25d78d08a11f3f2

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\alternateSpeedhack.LUA

Filesize
7KB

MD5
459b793e0dc43a993f03d8b612f67cec

SHA1
f14ae9afbe97af534a11bf98ac1cc096269f1474

SHA256
e2cbb4c2f46305bb07d84222231012fd4c800fe8e1b43e0aa1af9b6c5d111f7f

SHA512
1740068e3419d153ecbd9d1a6aada20aabe71915e7422dce1a83e616e8d2a1084922a81741591a682531e1f8146e437d8688521c7707a4909e5721768a3f956e

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\autosave.lua

Filesize
9KB

MD5
40d6bfe593194cf938e19622a3c13a5e

SHA1
761257e8ef492431cf0e04dbca396fabb25fe1ae

SHA256
c4cef60489b067c8e7abcdd5594643a27d0720b21523753dd462d53024287116

SHA512
1d1aaa9de74b0bb08cc4ceced5dbfa4c589347eac098d7ae013d5a1beaae0eeaca4d314e2591560c6df14a93dd4e9316ca317d21efadcca57d11eee72f4c6e16

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\bigendian.lua

Filesize
7KB

MD5
e76fcd2ecd5b956d4579a676aa3eea01

SHA1
49ecba5ccc531a40ad7805a126d38b44b4a36576

SHA256
0339ba0043af5c058cf3a19de9f90312d18f6bb2728f454ef403b531bd57ae42

SHA512
8443c213d4a626a358631f76a0cc4c106543ce58c94d34a96b88574b3e32ae742f28878b259a17823ca07ec521b06e32e572e7bc77e10951bc0984b07c0571c6

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_account.lua

Filesize
6KB

MD5
0b5180bd64689788ebeaa8e705a264ac

SHA1
43a5cc401ee6c4ff4a94697112b1bc1d4345fc19

SHA256
8fd38a5e6c0408ca77e0e7a0ee179b4391758ec6da94ea289e3a2cbc1ab1ec59

SHA512
cc26e2e36b93bf89aa16c744b2db60d855de616db7a67f4fb24135545104459338c3edeab42bb316b1ecb0db9e31970b1415a1bf638ea3e53ae31471330aeadb

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_comments.lua

Filesize
3KB

MD5
0d4d1b597712015ef1b0ec8adc26495f

SHA1
3584779c06619f545b47a27703aa2f47455d50de

SHA256
89c8fccc16d2aa0a3004dc1b477a5c1dcbba539769b2a4558f7c7d9b9809b133

SHA512
ae26bbb2c3f74c143a01ec3b296a26699c679d51bc68c8c7b8c460616d1a0aa065500ebca83e972a720bd7a3c5a7b63a673eaecef1391a2e717208ef8da0796f

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_fulltablelist.lua

Filesize
12KB

MD5
665bb2e55e2a13157d1dbfef05d1b905

SHA1
408fea33f574bd0fa9e4cb71958363398e0699bc

SHA256
da6ecce3db7d305813ffe80ca994663d43f1068f0fb67399a4c66d1f28684bfa

SHA512
8fe95e22680e1e802d0ceeecbbd6b098526468b8cf4d838301d2833247d94e4f3b3a4b76a68f9faaa2177b42ff2ffea2df46ef56a4a0ce501d126135ce8ee985

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_permissions.lua

Filesize
3KB

MD5
65c8d4eddfe05267a72eae3ddb2cf02a

SHA1
eef2928d355c8b669f8854da37162ba1fe32740a

SHA256
15b0c7682e5e8d2e2c2b8cb00c0c03b7dfa9439ac80c37f8e96a4f86652246f9

SHA512
1c151d5a44482362430fbc6ed4550671ad96e768942e4ec2a4c487182bed9d0326a0d40a1ac43f2c8a3de1e18e33b055ce7126d80fee9b5b7091ed83a22a41ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_processlistextention.lua

Filesize
9KB

MD5
607a7c1ab93026d94916f21779d0d645

SHA1
3d5a64b256fc44086e6e190ea0bc45b5999e1979

SHA256
ea61eea6289c2feba7b7d0cc24db5277e383102f24784e6bf7254af41829599c

SHA512
d6749e2dbe46466a1cb1c464ce3f237836ef6b572ef897c7f5c9d12f80a6c0c7a5dfea54c3499a91e14b29c8bbf0809cce433c379f9e5dc0072e436f641c59ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_publish.lua

Filesize
20KB

MD5
87cd08b16891e0dbe3d47bb71ca91691

SHA1
55d98338b4aa0df3566cd2e721b3d3f86a3836aa

SHA256
6bfd35aa64ab566ddb68d0675ad3b4a093649010a9c30df3a30a7f9dc2ed7702

SHA512
847becf1d3066a3e185001035b68496b91876bdeb323734782c41fc9b2bdf665bf33c728cebbe78e820654d87b1969c09b5d1faed7498538cb5f761984108614

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-UPKUQ.tmp

Filesize
1KB

MD5
33f3a8e602ac6644af839acb3ca10709

SHA1
0f76681306ebbe5063da4c93919104d3e0134046

SHA256
0ce7bd4b75fcf8800faffd3b0a315cbfe7b89271b8705e9216404af4d737d0bb

SHA512
81898fcf08c2ea7817479852771e11a67d766fba25b4fc7a77d23c993c4274d1c7c66953951051d2952d1b52630a1ba5c5268d7e67c1b9c696ca5ef427e5ec0d

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll

Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll

Filesize
140KB

MD5
0daf9f07847cceb0f0760bf5d770b8c1

SHA1
992cc461f67acea58a866a78b6eefb0cbcc3aaa1

SHA256
a2ac2ba27b0ed9acc3f0ea1bef9909a59169bc2eb16c979ef8e736a784bf2fa4

SHA512
b4dda28721de88a372af39d4dfba6e612ce06cc443d6a6d636334865a9f8ca555591fb36d9829b54bc0fb27f486d4f216d50f68e1c2df067439fe8ebbf203b6a

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll

Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll

Filesize
146KB

MD5
0eaac872aadc457c87ee995bbf45a9c1

SHA1
5e9e9b98f40424ad5397fc73c13b882d75499d27

SHA256
6f505cc5973687bbda1c2d9ac8a635d333f57c12067c54da7453d9448ab40b8f

SHA512
164d1e6ef537d44ac4c0fd90d3c708843a74ac2e08fa2b3f0fdd4a180401210847e0f7bb8ec3056f5dc1d5a54d3239c59fb37914ce7742a4c0eb81578657d24b

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll

Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll

Filesize
136KB

MD5
61ba5199c4e601fa6340e46bef0dff2d

SHA1
7c1a51d6d75b001ba1acde2acb0919b939b392c3

SHA256
8783f06f7b123e16042bb0af91ff196b698d3cd2aa930e3ea97cfc553d9fc0f4

SHA512
8ce180a622a5788bb66c5f3a4abfde62c858e86962f29091e9c157753088ddc826c67c51ff26567bfe2b75737897f14e6bb17ec89f52b525f6577097f1647d31

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll

Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll

Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-5GR9C.tmp

Filesize
3.5MB

MD5
eba2afdb2585021a66c184eb62669b9b

SHA1
b4853ef2ddd5f9835284d2297f0dfaf718bfd25b

SHA256
e25bffb47817db28a7448ffaff0f3f91066485010e7590c7727e04dfbbfae182

SHA512
24ec29a96eee0ed5725fddfaa4b968cdb0d035da6c017042096c5d26bf0c831cac91f6c927d48e6d1a20411748b853f542a8661ed1a31220197a505c021e92e7

Download Submit
C:\Program Files\Cheat Engine 7.5\is-8ML22.tmp

Filesize
1.8MB

MD5
eb5e581f993996c4169aae61cefe6e92

SHA1
7eac57bb36f4d5b1303b9e598d3dc56ed2569599

SHA256
6b8ad6bbc64d92bc4c96bd5e54b6af1d5d43f3a2073091a3d7b0979be49d2697

SHA512
bc923ce89227013dcac9695b32128c2b2507bfb2281b9eb091d82bc94d714ff8ba4a379bb72e9f8e2674bd27702762e969870831f5a5ed84c9bdf7c237fe6eca

Download Submit
C:\Program Files\Cheat Engine 7.5\is-97T3K.tmp

Filesize
15.4MB

MD5
be1de71887663a7a2065a6de1f7f13be

SHA1
4365371e1519f245f1b97f0eecc4abb0185324dd

SHA256
118dd9fb2ae5d88cdd2bdfaaceecd3faac4a53563c1780d20af5af88aec30e4c

SHA512
30e158bb3946ee8aa614df276e77561eef4673adb74a982d37da73fd1ed99a748809bf3d1e27479abd5928a28120bf53bec759186392baec1db0e59e79261d75

Download Submit
C:\Program Files\Cheat Engine 7.5\is-GCFIR.tmp

Filesize
3.2MB

MD5
1c1630b241d5a6be07bfba2b3ea97a25

SHA1
7203255d1a6021874d41a48fcd5719fd7034f34c

SHA256
526cddd0d843f5984ac6cb98d28f22b090682c3a8704122b644ec8ae2c9a10e5

SHA512
bddedb575febf8c8103cfbb1981fd1d5f20d2e0f1d6f4252a98930d587420a69750ddc1be46932cdf979b8633054321f462557d88349459e111be43139beff4a

Download Submit
C:\Program Files\Cheat Engine 7.5\is-K645K.tmp

Filesize
302KB

MD5
59089c96334966edffc70bf4ae829910

SHA1
8dc37d6f2364749d52db1bcb9ad9fe30fb93930d

SHA256
49a55638c5a0f8112b89c45a24a2bcd102ff5de2d22386649d7f6ffd283af1fd

SHA512
3edd411905298fde78df57b063b4b2000fa2d16f0e1a14e8940d4fbc2226c1cba6925c47d3becc10e76bba9c5864cf671f5ef3b29cfa430823d0fa9bf9bbc3a9

Download Submit
C:\Program Files\Cheat Engine 7.5\is-OCF98.tmp

Filesize
640KB

MD5
fad3c9764354b926964af862ea903e3d

SHA1
ee08805d33d91efdcc87e37e25008c4400953b3f

SHA256
3fc4aac795655f4e7d3880ce71a4cb53f76f74853d08421bddd57f95a3e28ef1

SHA512
f983030e1c1aa25c14381084b9b1337e279a759f4602f5c28b2e44d327239f661d98e237767e3dc6cbf575b5399ef7882a66f82f50aa6034e679dee8572c4d28

Download Submit
C:\Program Files\Cheat Engine 7.5\languages\language.ini

Filesize
283B

MD5
af5ed8f4fe5370516403ae39200f5a4f

SHA1
9299e9998a0605182683a58a5a6ab01a9b9bc037

SHA256
4aa4f0b75548d45c81d8e876e2db1c74bddfd64091f102706d729b50a7af53a5

SHA512
f070049a2fae3223861424e7fe79cbae6601c9bee6a56fadde4485ad3c597dc1f3687e720177ab28564a1faab52b6679e9315f74327d02aa1fb31e7b8233a80f

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\overlay.fx

Filesize
2KB

MD5
650c02fc9f949d14d62e32dd7a894f5e

SHA1
fa5399b01aadd9f1a4a5632f8632711c186ec0de

SHA256
c4d23db8effb359b4aa4d1e1e480486fe3a4586ce8243397a94250627ba4f8cc

SHA512
f2caaf604c271283fc7af3aa9674b9d647c4ac53dffca031dbf1220d3ed2e867943f5409a95f41c61d716879bed7c888735f43a068f1cc1452b4196d611cb76d

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\unins000.exe

Filesize
640KB

MD5
6798abfde531440e1f95ac1b59b93cb6

SHA1
68cf15887ec2e7db8dbb06ebccc5ae8f384fbc59

SHA256
96e2c9bd34703c783ec23bf671546bae29876ad46e9b7f2df531959e8028385d

SHA512
e18ecf5baa7d4657b17833dea20275c03d69b313347cbe034054b3b39912aef491bbccb5539e80c647d08ee23188d9869c40bfcaa948205d0604f01c87347ea9

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll

Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll

Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt

Filesize
302B

MD5
239d1e4d456d050117f13be0f0724b9c

SHA1
28ce25c0e44165fc5a5085af290128e23eb2197f

SHA256
61436bfb79872c0e7c5ddb0b2d601bbf5ede4c21224ff9bf4e6f74913117468a

SHA512
ae826506697a5293609c5b1447d90108ceec4cc7c92253ce28006d7d474ec0585abd67206292fc3c9768abccdfa05f113c9ce81e4b3084f5ef2028b8158c1c4f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

Filesize
8.3MB

MD5
6b3f28c36a7f61905d5d89879b600298

SHA1
5843403b6df7e31486643fe6405ab21c62b056ed

SHA256
2ed51081984d4ab80a9aaa6aa0392f00889d2feb5ce77ac3e63bc6389d61c37c

SHA512
1ef6a4daa42944d2ecf31e553556f1291950f3ee21487a74fe33d8d4c44cf0b1fd889e4dfaf86a489e8d2579a688b63effb8ec915ac85c4aeeaeafc155d953aa

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

Filesize
1.1MB

MD5
55e095ff9cecfe2cae9619880f6a447f

SHA1
7c8ab9c63852a437a100c870e814655dd5690978

SHA256
84a96a9a0ba2f17011c2242b3c0b929028f39211e8b0ede25d93323c0ff592a1

SHA512
b004e7eca837352d9854ce5d8cf9eae51f47386d33518d4ee49fdef0ad79935d8bbaf398ec06b7be6728298c48fe2e4e0d6e58f305d5d62abca9a202145a9d0b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
5a0eb1428034a53ee1ae05ef2c0a1072

SHA1
069f290e7c5ca9e7d195351fd43fbee9aebe191b

SHA256
031393bac4d3d6ca1086f1a0e0f11a96504cf653631798bc62d11e128ffc0a3f

SHA512
1c811a5fd05b6fafeaf2fa35150c643683d4cbeedfcac58f86a4acecf352ad054ed3a04bda883c6471699e1dff31178c94d4479485c21b9f59683c0dce7d0db8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7de6d89778c863bab6f9703088c1944a

SHA1
6188c0b6959e704974a6b2fd07bc44e2bb353cfe

SHA256
3dab830ee9f683b1e43f604309a2982b954b9cf2fe1a83083ba7af7c0d8c7135

SHA512
e7cf0f82bcea62324c887847352e1daccb0e8930d9fd36ae9c5cb5e00e52645e6a4bb8ada2f855d1ae5db9aadd93b93514354925da34b8179270ff2916ca9930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1032057192826ca4302cbdaef948f119

SHA1
4ea803e9c22b1794d6169a5a9bb04efc21f4a323

SHA256
1e53fb224ab0bca612ff85aedb31e168058b955107bf269bdf2ffa17169ae2a4

SHA512
8152a3db342f4527cae7e2ce9e3803e6aa372eb913e94c6f7c075989aa20d951bf2df5796c8f2497976d64d6ac7a4dca9213caa7032b2339244903d98b0ed00f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b5f6634c7940acecf2ad07886de87ff5

SHA1
e13e07832a117dff184ae73cbf6c045c265bd552

SHA256
fe9195f1f7932f690c5fc79a082c0ae92150d2fc8f817ecdce9a475e1a49902e

SHA512
7fc195a12505f109ec30051a165fd552735ded928415e47bf0df587820c5576d192429daf3d5f7142b364dbe487f9e2d5d683432f08e703d24437f28049a3445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3c44fb7ee0b6a07ec7bf2b1cc2bb68ce

SHA1
d9582be9c12bf9e370225c704ce384017326e472

SHA256
cbc5fd5cfd626ca23c804f3b773925142a455da233205e7cb9bd00da9ca4c589

SHA512
fb9892c787febe8b6022ff36f5ff5cca598d68b01aa013360c8ddd3d09c280865265be7530682145f2bf89f59b86c5153fb20103ab4059ba9e713703c2593a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
5b71613968ef86dfcf6acf664925c6aa

SHA1
68726bf355bef04ee289849df14242b3a194bd09

SHA256
e6b1c3d7102a3ae7a336d1e735910531fcd7ab78cc78ddf08bb2bc7a2a34da0c

SHA512
62545747c6559328e3c6ba7499f8714b428227023a15bc9f281091444e795bab3956f82d3b53613ac17db23211bdb0a22706ecb92f5bfec404cd7f4f051e7280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
893a240de17a8770e81df3b833c909fb

SHA1
8a22b1d1854da3f3a4469a2f6d18562a69552ac9

SHA256
30f43272bfe24f4f70296b39cc7f701de00392b0ae6903b716fbb160179cac8c

SHA512
36733742946c64ff929473687b1b1e6952f51379ea7114bd8cabfec02d217038f62eba05bfb86244ffad069afd6efb13931572b5b8fb8bc4c7348a8c699bbff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5814fa.TMP

Filesize
104KB

MD5
8190e0f0596d7611370dc84892b078ba

SHA1
3564a0a2ac7f0633e04e0fbdfcea9f778368ce1b

SHA256
7307e8efbaa5006d4c737f9decf91c8ae8511a092f4a72fb91ee835756998aa5

SHA512
c6ac0dc6f89d9dccbf4271cd4b2e1980f9a0be41126677d7c9326ab77008860617f22698d2087ba9a6f4ba9cb44f0e488d07adecefdc9251862098095fbe91ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4SH14.tmp\CheatEngine75.tmp

Filesize
439KB

MD5
47e247b43723966f045b74ee960ea87f

SHA1
28a142b654a1f21a45b64efe627f94728756a3d0

SHA256
8100de263391256b69e7152e0f0e82c9591b94037bc405f9a21c6bef80263d30

SHA512
bb6adc462258ff04c4ceddaec1425357c6155e01a8d531d4d68779c2a46358cbc8d8a5ecf267905964f599e27cfe4df74352da52269229d19f5600d8205505c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GM7HO.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
d9bfd411b133d66741d4bb40609b6ed0

SHA1
c5b89ffeabf964658efa335826735f48148561e3

SHA256
13ba38cabdcaa761b7449d86443d3cd60f755a00c4cd13d945c88b6c2914100c

SHA512
3f4bf6c41585a95c206d8318f5014a9335e1f8fffb021399c303586c787d1c08439578eebc10b6014a8c186cb7fee89594a04a19a3ca650f164012b8928a779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MCI4K.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O351J.tmp\CheatEngine75.exe

Filesize
25.4MB

MD5
7e3a7fd9eafd1fd2bf62d61154d33896

SHA1
d98ffa06901356661d5da7289e458d872d71c146

SHA256
86594b149e01139b3aaf184cf41c020cf1d207ea0d83e30115547af90c7f9fd7

SHA512
6af0459315d1fbb47ca81467b15c0867910894dbfdeb374bdb86f02a597ba33553c6c509b01370568f6a315b5579644e60adc0ebc23500acdda9aceacaba2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBP3S.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBP3S.tmp\CheatEngine75.tmp

Filesize
2.1MB

MD5
0aeea555cdf20184efcfb5c805350a32

SHA1
a87dc4d3d68f6353daf8d10db6b24463eab40a7d

SHA256
85220213ab60884660b59fe3c1aaa3db4c11f744ea58daf222f34a91599dd433

SHA512
0b65551c8bc0af6d0b67fa005d8d3fc85e385fbfbd9dc19723a43ac1caaa504b67fcbbc600f114e25eb514740f66c0805c1bbff9eed1190183611881e1927f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CCleaner.png

Filesize
193KB

MD5
7c87614f099c75a0bed6ab01555143dd

SHA1
07ab72dc4a1e53e2c62ecccc1221472854d78635

SHA256
02335420cb5c2fa33eec48f32706d2353f8b609daaf337458f04a8f98d999a7c

SHA512
29b7ce896332ed2a05235645adb963b77920a0a252561684ea9f1f925f69dbcee4685e1b30584c1034a15b7efc18b911902d1ecb41c523cf2552ff23e165bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CheatEngine75.exe

Filesize
2.9MB

MD5
5e1d4e79adc565049c44de9ec95676b7

SHA1
a71c938bb14020f0477b05fa7ca5e14657cc5f72

SHA256
ae36a37d751ce49fe159a2d8cdca5eafa1dc515376080a4d09e1ba8f973b94e8

SHA512
269c6d3bf3acb494f74fef345452ec233560cff10fba89ed9266b48971fe61892b322ab40767eaa4047c5dfe5752cf6bbb17a96c9bbcdf0ff8b9d9a2370db7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\CheatEngine75.exe

Filesize
768KB

MD5
b90925d39ad9ae10b833dea838eb6bf9

SHA1
d301a54fa6ffc287f94f8f72083ef82b0bb41699

SHA256
9c01dbc23f3fd3fba2c843f0b0c3c94571af5c254a4f0d4c80ec93ec2064f463

SHA512
b50804320cf89a48436bafa51ca2d1a29318c90ba4076bd2c11b84fe0fc9d954438666d825f2788a115d13ed4a2a159667ad14881c030c08d1a2e2224484f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\prod1.zip

Filesize
499KB

MD5
cd9c77bc5840af008799985f397fe1c3

SHA1
9b526687a23b737cc9468570fa17378109e94071

SHA256
26d7704b540df18e2bccd224df677061ffb9f03cab5b3c191055a84bf43a9085

SHA512
de82bd3cbfb66a2ea0cc79e19407b569355ac43bf37eecf15c9ec0693df31ee480ee0be8e7e11cc3136c2df9e7ef775bf9918fe478967eee14304343042a7872

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\Users\Admin\Downloads\CheatEngine75.exe

Filesize
13.8MB

MD5
f9430058ec1279e60e170455fb660cbd

SHA1
dcdbbad8b070e80560b5f4553927d8f9a38fa10b

SHA256
1cc20b07daaebe54191e158a2952cab946131d88fb6e0e58f83b3e4daf0fd43e

SHA512
4a2da378d99cc324820f0442e9f59f8ea85000d2bdd7429b9f258858b47f448bcf64da7d9b885b968cfa9d611020d04ed30c0befbe7b5299d13387752d7f5d24

Download Submit
C:\Users\Admin\Downloads\CheatEngine75.exe

Filesize
1.8MB

MD5
b0049442c91166b106421dd7066f6f60

SHA1
1bf048c572800b66520129592d053ef7dd6f137b

SHA256
385fbc2a9157247a71c25d8469618c376b0f399a5f3006437fd6a4e53ad7093a

SHA512
0836ec95e304c6cbd8306368c0558bdcf61ac9c7416332cb55f18053826fe908c6f86798be36c59154a753b5223f5d755f2245d054653b9a274cc08b7095d65a

Download Submit
C:\Users\Admin\Downloads\CheatEngine75.exe

Filesize
860KB

MD5
f3bb4dc58dece5b59d0f3c237afa80b8

SHA1
70460d7d0c68e948ff839c944960c7a8dd147f22

SHA256
104d2509121eebfc78478601f40631d8a87c6b8f629600cd3d2f44a1e9c5a8fa

SHA512
bf06ee793903336abbef8f031ffa2210bc4c6e6e1fbd15b8c99b86fd1bff3488515911e0d3b90830fcfd092d85113590dbaeb0d85dd080db6eef0e499a503b2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-SDDMM.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
memory/972-717-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/972-1069-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1286-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1327-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1357-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1365-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-200-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/972-1381-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1377-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1335-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1316-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1323-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1270-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1276-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1240-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-893-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/972-1244-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1107-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1246-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1104-0x00007FF7B0870000-0x00007FF7B0880000-memory.dmp

Filesize
64KB

Download
memory/972-1100-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1192-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1059-0x00007FF813A00000-0x00007FF813A10000-memory.dmp

Filesize
64KB

Download
memory/972-1060-0x00007FF813A00000-0x00007FF813A10000-memory.dmp

Filesize
64KB

Download
memory/972-1061-0x00007FF813A00000-0x00007FF813A10000-memory.dmp

Filesize
64KB

Download
memory/972-1063-0x00007FF813A00000-0x00007FF813A10000-memory.dmp

Filesize
64KB

Download
memory/972-1062-0x00007FF813A00000-0x00007FF813A10000-memory.dmp

Filesize
64KB

Download
memory/972-1108-0x00007FF7C9080000-0x00007FF7C9090000-memory.dmp

Filesize
64KB

Download
memory/972-1172-0x00007FF814E40000-0x00007FF814E50000-memory.dmp

Filesize
64KB

Download
memory/972-1170-0x00007FF80AC10000-0x00007FF80AC20000-memory.dmp

Filesize
64KB

Download
memory/972-1161-0x00007FF7C9080000-0x00007FF7C9090000-memory.dmp

Filesize
64KB

Download
memory/972-1129-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1215-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1202-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/972-1219-0x00007FF7FD340000-0x00007FF7FD350000-memory.dmp

Filesize
64KB

Download
memory/2364-1057-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2364-905-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2764-133-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-129-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-71-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2764-906-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-93-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-112-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-134-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2764-135-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-139-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-141-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-142-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-150-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-160-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-201-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-213-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-215-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-114-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2764-115-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-2375-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/2764-128-0x00000000049E0000-0x0000000004B20000-memory.dmp

Filesize
1.2MB

Download
memory/3556-64-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3556-83-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3556-2378-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4116-747-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4116-216-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4116-892-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4152-1016-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4152-900-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4152-2371-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5620-3084-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5620-2411-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5620-2382-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5656-2412-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-2445-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-2420-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-2415-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/5656-2406-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-3060-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-3076-0x0000000004A00000-0x0000000004B40000-memory.dmp

Filesize
1.2MB

Download
memory/5656-2385-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/5904-2429-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5904-3053-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5944-2433-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download