zgrat | ae9e4974652dc907c017d94d511f1c4cbab72b8c440c052f38acac86279eb509

Resubmissions

20-04-2024 16:09

240420-tlylsscg9z 8

20-04-2024 16:04

240420-th885acg7z 10

Analysis

max time kernel
78s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20240412-fr
resource tags

arch:x64arch:x86image:win10v2004-20240412-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
20-04-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pivot_v5-2.exe
Size

660KB
MD5

f577fc68521d8ca399edd72ac913255d
SHA1

8ff05351f4d8f3c4c80ed4985590e8ab1b989ea1
SHA256

ae9e4974652dc907c017d94d511f1c4cbab72b8c440c052f38acac86279eb509
SHA512

ce2497db91582a1d21093e1e08fd33bb91d7f93081045e716cc46c2b4b24f65ec4dbe8ce7149109c4a713b55a13706cfda967fdbd466d3c1c00024f4761f0e38
SSDEEP

12288:zymCv84Lnka4eec2ZZEhl3qgi4JpXBLUbBinP7:zIv84Lnk5LEhl3qZs1P7

Score

10^/10

zgrat discovery persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\ReasonLabs\EPP\mc.dll	family_zgrat_v1
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

Processes:

RAVEndPointProtection-installer.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rsStubActivator.exepivot_v5-2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	pivot_v5-2.exe

Executes dropped EXE 17 IoCs

Processes:

rsStubActivator.exesaBSI.exepivotsetup.exepivotsetup.tmp2zq1k25a.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeinstaller.exeinstaller.exepivot.exeServiceHost.exeServiceHost.exeUIHost.exeServiceHost.exeServiceHost.exersWSC.exe

pid	process
3652	rsStubActivator.exe
4444	saBSI.exe
3824	pivotsetup.exe
3480	pivotsetup.tmp
3596	2zq1k25a.exe
5064	RAVEndPointProtection-installer.exe
4572	rsSyncSvc.exe
876	rsSyncSvc.exe
1972	installer.exe
5500	installer.exe
5660	pivot.exe
6136	ServiceHost.exe
6952	ServiceHost.exe
5240	UIHost.exe
6580	ServiceHost.exe
5612	ServiceHost.exe
4860	rsWSC.exe

Loads dropped DLL 34 IoCs

Processes:

regsvr32.exe2zq1k25a.exeregsvr32.exeregsvr32.exeServiceHost.exeregsvr32.exeregsvr32.exeServiceHost.exeUIHost.exeServiceHost.exeRAVEndPointProtection-installer.exeServiceHost.exe

pid	process
4380	regsvr32.exe
4380	regsvr32.exe
3596	2zq1k25a.exe
2580	regsvr32.exe
5544	regsvr32.exe
6136	ServiceHost.exe
6136	ServiceHost.exe
6112	regsvr32.exe
6136	ServiceHost.exe
6136	ServiceHost.exe
6136	ServiceHost.exe
5304	regsvr32.exe
6136	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
5240	UIHost.exe
6952	ServiceHost.exe
6580	ServiceHost.exe
6580	ServiceHost.exe
5240	UIHost.exe
6580	ServiceHost.exe
6580	ServiceHost.exe
6580	ServiceHost.exe
5064	RAVEndPointProtection-installer.exe
5612	ServiceHost.exe
5612	ServiceHost.exe
5612	ServiceHost.exe
5612	ServiceHost.exe
5612	ServiceHost.exe
5064	RAVEndPointProtection-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery
T1518.001

Processes:

pivot_v5-2.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV pivot_v5-2.exe
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV pivot_v5-2.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	pivot_v5-2.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	pivot_v5-2.exe

Drops file in Program Files directory 64 IoCs

Processes:

RAVEndPointProtection-installer.exeinstaller.exeinstaller.exeServiceHost.exe

description	ioc	process
File created	C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-da-DK.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pl-PL.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tracing.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\facebook.png	installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\jslang\wa-res-install-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\securesearchhit.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\commonlogicloader.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\subdb.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Reflection.Extensions.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\jslang\wa-res-install-es-MX.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\wmi.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-nl-NL.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2182784543\jslang\eula-cs-CZ.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2182784543\uimanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\info-16.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\stringutils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\mwb\wa-mwb-checklist.html	installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\jslang\eula-zh-CN.txt	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\NAudio.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-es-MX.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bg.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-tr-TR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2182784543\browserhost.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_search\edge_search_ext_coachmark.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\osflavour.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-main.html	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\hi.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\productupselltoast.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\l10n.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-el-GR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp2182784543\mcafeecerts.xml	installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\jslang\wa-res-shared-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ui-dwtoast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\download_scan_ui.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Formatters.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp2182784543\servicehost.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsspackagetype.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\navigatedtoday.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	RAVEndPointProtection-installer.exe

Drops file in Windows directory 1 IoCs

Processes:

pivotsetup.tmp

description ioc process

File created C:\Windows\Fonts\is-B9D2U.tmp pivotsetup.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\is-B9D2U.tmp	pivotsetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ServiceHost.exeServiceHost.exeServiceHost.exeServiceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exepivotsetup.tmpregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\shellex\{8895B1C6-B41F-4C1C-A562-0D564250836F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\pivot.exe\SupportedTypes	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\ = "STK Pivot Figure Preview Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\ProgID\ = "STKPreview.stkfile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\VersionIndependentProgID = "STKPreview.stkfile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\shell\open\command	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\Clsid\ = "{64644512-C345-469F-B5FB-EB351E20129D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv\OpenWithProgids	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ProgID = "STKPreview.stkfile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe\SupportedTypes	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STKPreview.stkfile\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv\OpenWithProgids\PivotFile.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\pivot.exe	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk\shell\open\command	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\ = "Pivot Animator File"	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.piv\OpenWithProgids	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv\shell\open\command	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\DefaultIcon\ = "C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe,2"	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.piv	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\shellex\{8895B1C6-B41F-4C1C-A562-0D564250836F}\ = "{64644512-C345-469F-B5FB-EB351E20129D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFile.piv\DefaultIcon\ = "C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe,1"	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFigure.stk\DefaultIcon	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell\open\command	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\shell\open\command\ = "\"C:\\Program Files (x86)\\Pivot Animator v5\\pivot.exe\" \"%1\""	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\InprocServer32\ = "C:\\PROGRA~2\\PIVOTA~1\\STKPRE~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64644512-C345-469F-B5FB-EB351E20129D}\AppID = "{534A1E02-D58F-44f0-B58B-36CBED287C7C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.stk\OpenWithProgids	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\OpenWithProgids\PivotFigure.stk	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PivotFile.piv\DefaultIcon	pivotsetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.stk\OpenWithProgids	pivotsetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PivotFigure.stk\ = "Pivot Animator Figure"	pivotsetup.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

pivot_v5-2.exesaBSI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	pivot_v5-2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	pivot_v5-2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pivot_v5-2.exesaBSI.exepivotsetup.tmpServiceHost.exeServiceHost.exe

pid	process
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4444	saBSI.exe
4444	saBSI.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4444	saBSI.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
4860	pivot_v5-2.exe
3480	pivotsetup.tmp
3480	pivotsetup.tmp
6136	ServiceHost.exe
6136	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe
6952	ServiceHost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

fltmc.exe

pid process

116 fltmc.exe

pid	process
116	fltmc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

pivot_v5-2.exersStubActivator.exeRAVEndPointProtection-installer.exewevtutil.exefltmc.exewevtutil.exersWSC.exe

description	pid	process
Token: SeDebugPrivilege	4860	pivot_v5-2.exe
Token: SeShutdownPrivilege	4860	pivot_v5-2.exe
Token: SeCreatePagefilePrivilege	4860	pivot_v5-2.exe
Token: SeDebugPrivilege	3652	rsStubActivator.exe
Token: SeDebugPrivilege	5064	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	5064	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	5064	RAVEndPointProtection-installer.exe
Token: SeDebugPrivilege	5064	RAVEndPointProtection-installer.exe
Token: SeSecurityPrivilege	5472	wevtutil.exe
Token: SeBackupPrivilege	5472	wevtutil.exe
Token: SeLoadDriverPrivilege	116	fltmc.exe
Token: SeSecurityPrivilege	6732	wevtutil.exe
Token: SeBackupPrivilege	6732	wevtutil.exe
Token: SeDebugPrivilege	4860	rsWSC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pivotsetup.tmppivot.exe

pid	process
3480	pivotsetup.tmp
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe
5660	pivot.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pivot.exe

pid process

5660 pivot.exe
5660 pivot.exe

pid	process
5660	pivot.exe
5660	pivot.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

pivotsetup.exepivotsetup.tmprsStubActivator.exe2zq1k25a.exeRAVEndPointProtection-installer.exesaBSI.exeinstaller.exepivot_v5-2.exeinstaller.exeregsvr32.exeregsvr32.exeServiceHost.exerundll32.exerunonce.exe

description	pid	process	target process
PID 3824 wrote to memory of 3480	3824	pivotsetup.exe	pivotsetup.tmp
PID 3824 wrote to memory of 3480	3824	pivotsetup.exe	pivotsetup.tmp
PID 3824 wrote to memory of 3480	3824	pivotsetup.exe	pivotsetup.tmp
PID 3480 wrote to memory of 4380	3480	pivotsetup.tmp	regsvr32.exe
PID 3480 wrote to memory of 4380	3480	pivotsetup.tmp	regsvr32.exe
PID 3480 wrote to memory of 4380	3480	pivotsetup.tmp	regsvr32.exe
PID 3652 wrote to memory of 3596	3652	rsStubActivator.exe	2zq1k25a.exe
PID 3652 wrote to memory of 3596	3652	rsStubActivator.exe	2zq1k25a.exe
PID 3652 wrote to memory of 3596	3652	rsStubActivator.exe	2zq1k25a.exe
PID 3596 wrote to memory of 5064	3596	2zq1k25a.exe	RAVEndPointProtection-installer.exe
PID 3596 wrote to memory of 5064	3596	2zq1k25a.exe	RAVEndPointProtection-installer.exe
PID 5064 wrote to memory of 4572	5064	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 5064 wrote to memory of 4572	5064	RAVEndPointProtection-installer.exe	rsSyncSvc.exe
PID 4444 wrote to memory of 1972	4444	saBSI.exe	installer.exe
PID 4444 wrote to memory of 1972	4444	saBSI.exe	installer.exe
PID 1972 wrote to memory of 5500	1972	installer.exe	installer.exe
PID 1972 wrote to memory of 5500	1972	installer.exe	installer.exe
PID 4860 wrote to memory of 5660	4860	pivot_v5-2.exe	pivot.exe
PID 4860 wrote to memory of 5660	4860	pivot_v5-2.exe	pivot.exe
PID 4860 wrote to memory of 5660	4860	pivot_v5-2.exe	pivot.exe
PID 5500 wrote to memory of 5876	5500	installer.exe	regsvr32.exe
PID 5500 wrote to memory of 5876	5500	installer.exe	regsvr32.exe
PID 5876 wrote to memory of 2580	5876	regsvr32.exe	regsvr32.exe
PID 5876 wrote to memory of 2580	5876	regsvr32.exe	regsvr32.exe
PID 5876 wrote to memory of 2580	5876	regsvr32.exe	regsvr32.exe
PID 5500 wrote to memory of 5544	5500	installer.exe	regsvr32.exe
PID 5500 wrote to memory of 5544	5500	installer.exe	regsvr32.exe
PID 5500 wrote to memory of 2560	5500	installer.exe	regsvr32.exe
PID 5500 wrote to memory of 2560	5500	installer.exe	regsvr32.exe
PID 2560 wrote to memory of 6112	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 6112	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 6112	2560	regsvr32.exe	regsvr32.exe
PID 5500 wrote to memory of 5304	5500	installer.exe	regsvr32.exe
PID 5500 wrote to memory of 5304	5500	installer.exe	regsvr32.exe
PID 6952 wrote to memory of 5240	6952	ServiceHost.exe	UIHost.exe
PID 6952 wrote to memory of 5240	6952	ServiceHost.exe	UIHost.exe
PID 5064 wrote to memory of 6528	5064	RAVEndPointProtection-installer.exe	rundll32.exe
PID 5064 wrote to memory of 6528	5064	RAVEndPointProtection-installer.exe	rundll32.exe
PID 6528 wrote to memory of 5760	6528	rundll32.exe	runonce.exe
PID 6528 wrote to memory of 5760	6528	rundll32.exe	runonce.exe
PID 5760 wrote to memory of 5968	5760	runonce.exe	grpconv.exe
PID 5760 wrote to memory of 5968	5760	runonce.exe	grpconv.exe
PID 5064 wrote to memory of 5472	5064	RAVEndPointProtection-installer.exe	wevtutil.exe
PID 5064 wrote to memory of 5472	5064	RAVEndPointProtection-installer.exe	wevtutil.exe
PID 5064 wrote to memory of 116	5064	RAVEndPointProtection-installer.exe	fltmc.exe
PID 5064 wrote to memory of 116	5064	RAVEndPointProtection-installer.exe	fltmc.exe
PID 5064 wrote to memory of 6732	5064	RAVEndPointProtection-installer.exe	wevtutil.exe
PID 5064 wrote to memory of 6732	5064	RAVEndPointProtection-installer.exe	wevtutil.exe
PID 5064 wrote to memory of 4860	5064	RAVEndPointProtection-installer.exe	rsWSC.exe
PID 5064 wrote to memory of 4860	5064	RAVEndPointProtection-installer.exe	rsWSC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\pivot_v5-2.exe
"C:\Users\Admin\AppData\Local\Temp\pivot_v5-2.exe"
1⤵
- Checks computer location settings
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\Pivot Animator v5\pivot.exe
"C:\Program Files (x86)\Pivot Animator v5\pivot.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5660

C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\rsStubActivator.exe" -ip:"dui=d72d64f0a708d1858eaca49e09f4a1afa37d9ba8&dit=20240420160569346&is_silent=true&oc=DOT_RAV_Cross_Tri&p=6f32&a=100&b=&se=true" -vp:"dui=d72d64f0a708d1858eaca49e09f4a1afa37d9ba8&dit=20240420160569346&p=6f32&a=100&oip=26&ptl=7&dta=true" -dp:"dui=d72d64f0a708d1858eaca49e09f4a1afa37d9ba8&dit=20240420160569346&p=6f32&a=100" -i -v -d
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Users\Admin\AppData\Local\Temp\2zq1k25a.exe
"C:\Users\Admin\AppData\Local\Temp\2zq1k25a.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\2zq1k25a.exe" /silent
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:6528

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5760

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:5968

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:6732

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files\McAfee\Temp2182784543\installer.exe
"C:\Program Files\McAfee\Temp2182784543\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5500

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:5876

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:2580

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5544

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:6112

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5304

C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe
"C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\is-TRMJ0.tmp\pivotsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TRMJ0.tmp\pivotsetup.tmp" /SL5="$70214,18433013,58368,C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe" /VERYSILENT
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Pivot Animator v5\STKPreview.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:4380

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:876

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6952

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5240

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6580

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Software Discovery

T1518

Security Software Discovery

T1518.001

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\cursor.piv
Filesize
7KB

MD5
2e923d0f7f805c9acb390a85a782d49c

SHA1
fb98065c9dc3baa5c3729f9540806075c8bf17fe

SHA256
5eaf90001d8e3b867473137e904af9baf29a0cb6dba41caa9242a368c28d0c83

SHA512
acba39c54635e2bbf8863da415a52290df64932a2529c0852d28f121cec033c290cce4dc7d007a5a65b8fede938b42a792e6a0c74fe9c7e952517af606014dca

Download Submit
C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\dominos.piv
Filesize
4KB

MD5
08557c8776d979a1143cc674a5fafb32

SHA1
bac5104bd62594892404b61b5bd0e96f6c7f153e

SHA256
d8e45cdcd53ec9ad56fba89575c66701b01e009c4d371db092deecb1604a087f

SHA512
5b0cc057cecee04beb080fa44eea6657dff3e7b43a5032035ebe1554ef6f166aae6ef8ea189b829855eb2db7503e6195a9f6965f9c65b5cc9c4a0d1c25357a41

Download Submit
C:\Program Files (x86)\Pivot Animator v5\Animations\Legacy\horse_revenge.piv
Filesize
7KB

MD5
834bb56ece2ec9942d38013d3bb60a18

SHA1
2025dea0b5bd24703ab641feabc716add70bd66c

SHA256
703046dd6742dc3e04113ef1c2beb8547c0f42501549372b8a17f954ace2b5a5

SHA512
c28f92c969e90247c733d80f7f676b8c63b6cf89ae9dd12d412e550bae2b2cd15e8fdd36d3d2321bfdbb65abc03c5168a8344cbd68dfa2a57d0fb3a16ad620f0

Download Submit
C:\Program Files (x86)\Pivot Animator v5\Animations\archer.piv
Filesize
17KB

MD5
55ee1cc860856d8edfb175139fbc0cd6

SHA1
9ef9d5f35446b2a081f6f91002dfe09301f6d4cf

SHA256
1f7255a15e09dadb3a35e9a07b60dc48c681605de35a7473a5fef5bfc75bdd35

SHA512
2324d95472a231df3a9a75a72524c9c90412878ee2b7b06fe47bfa09382d38a4fc418911651f21b3c79486fa29af0f113f8ad4321e24940c961534eb7b24375a

Download Submit
C:\Program Files (x86)\Pivot Animator v5\Animations\deformation_demo.piv
Filesize
1KB

MD5
b810f7a219611f4ce7c078005683474b

SHA1
ea63273b1fafdc3a57c15c0070f7e1eadbfe3f4c

SHA256
2ed6a7c53c65ec762d9d9b0ebadf64e02e22b5c5a0f507627d062db661a00b68

SHA512
7eff076b226970d4c98c1b448b7a78fccb7600a2ad524f2aeb485f5d5242b910f357f1ce40e423bc1f09e52557ba738e2b6356df5eece22afb61fa2dcda4fda4

Download Submit
C:\Program Files (x86)\Pivot Animator v5\Animations\gear wheels.piv
Filesize
19KB

MD5
0db372ae4af1f4df6a104dc98d9acf0a

SHA1
1961172d58f6849ef5378fee930c0387a9af2eb6

SHA256
5ab8f2911c6c7610729134a1543926b8c4c4964c080da9fdc3ad35a27626cf99

SHA512
3941326649de80060a975d37648e234b7a2b14aa2bd265364f4f2ced79d42bde601702b6195ec96bb41f033bf9e75c489f8365c74c870244731d241cc261e435

Download Submit
C:\Program Files (x86)\Pivot Animator v5\STKPreview.dll
Filesize
2.5MB

MD5
2c639820b502df57891e7c4ee805f4b7

SHA1
d90ecab78c86152c31f6963096107fbb115f7bae

SHA256
dcdaf630b7a42bb9d6b1693e159175d68569f20f3ab034af4124d3c775436458

SHA512
afd96af844d30256e9fe1983e82317ace56d6741bf3f2647fee6ef6870b610a4b71560aca95a62ed5b54a2e1ab0ef1487a536124328f4ac327a0b86b1c1900a4

Download Submit
C:\Program Files (x86)\Pivot Animator v5\pivot.exe
Filesize
13.1MB

MD5
ab3c884e603de1d2d9d4bb9edeac8762

SHA1
123e87c326a39d641571c5f5d54e9b1f42926cc3

SHA256
af38da271a7fb34617b094b3832af8f016168d0923dabbfb297633fb22e49036

SHA512
ecf3474372d1af6f4e93fe655b188b03744f07166fe2ae3947650fec8afabd2bb721270d8e3ef97d52cd4071e6a94ca1c1f5ecf304ed0711bb932bfce133982f

Download Submit
C:\Program Files\McAfee\Temp2182784543\analyticsmanager.cab
Filesize
2.0MB

MD5
b86746aabbaf37831a38b6eae5e3e256

SHA1
5c81a896b9a7e59cdff3d7e10de5ace243132e56

SHA256
70e35195fece6ebf6e97b76c460d67449c4785a1bd21f205908f995aa8c11a5e

SHA512
68e2f2359e6306a5ff3af0c348c2d452afa7a8766e10b2d36358eb30e70ed17f4b45b479b8be5585a91febbdda67cd2b96c225728ad32e9a54bad358269711e8

Download Submit
C:\Program Files\McAfee\Temp2182784543\analyticstelemetry.cab
Filesize
57KB

MD5
fc2f204b92db0e8daec09ae45cedbc96

SHA1
5d16a19f70224e97cfc383143ddbf5f6b5565f19

SHA256
22f38866a64fcc685be87a949f17d0bc85d20c9d5f6aec1ad469d59f099383c6

SHA512
32fd7845c34ff4df8b7ec5d041c4de1a577cb686d7b6b9bfe10897edd1b5dab503ff1fd5b6e729f0a081fff41d5b273cbd188dd7952c27366cf3f5c3b3fd3637

Download Submit
C:\Program Files\McAfee\Temp2182784543\browserhost.cab
Filesize
1.2MB

MD5
047cd507df3d47ad5b4580f92cca8462

SHA1
a3cba758d2c3a435d8b4841ed7874d3dae98affa

SHA256
d1ca37407ee6c256a2d174da8139dae1b5f3b681540763e4208073646dc3f85a

SHA512
beee3e3b0606c8620370033da292f8d177fc4c8556dc7c952bc9a56a1ad446e36cb425c2f849741a24f3ebce6b814e213ab051e31283f16854069b7b83289c74

Download Submit
C:\Program Files\McAfee\Temp2182784543\browserplugin.cab
Filesize
4.9MB

MD5
f2e0ad0cf39154cf59faef9c055fceda

SHA1
31558e4be53bbd90c955b60bab3b4bb7c29c3442

SHA256
5c98127edc5094fba4ab2c640dabadac9365ccf127446ac28db1de31553fbf67

SHA512
c4054146296f69cea8b628c63941b70713e479e75ae21e982113d7a5ed561099070cf3f8e01ffe307e0d6b5e975a111515282e1532204e98fe1d85c2815056b7

Download Submit
C:\Program Files\McAfee\Temp2182784543\downloadscan.cab
Filesize
2.1MB

MD5
3f53a18999723022ce0163cf0b79bddf

SHA1
9722ac18848575fe7922661c6b967163647b004f

SHA256
c03a9c8f4c8840d3d6620bce28007e0f9b738418d690247f2116f3f28ff9249f

SHA512
faeba2e5cead1388a348d20f671f136faaa17f1b5677dd8aedfbbba01b99f4c15020888520e15f88e946bc0b3aec8d14f24729ee37ed440a0e87151b72a2e6a0

Download Submit
C:\Program Files\McAfee\Temp2182784543\eventmanager.cab
Filesize
1.4MB

MD5
98f1341ed360f6d676a110fab895669a

SHA1
7695c908aec695a7f17fbe0a7474aa6f8250c960

SHA256
b6ba85209c76fc850130c6bde2fb58ea4bf92a54c68670e5e4445a7fe0337cfa

SHA512
8d46ce3f7972ecee7003d5dde16b614656197949a2c6a170398c9a0f246d2ba6ffd0c75caf115a697ded4618ac09defe36c6c157245abe8288483e6a808faf24

Download Submit
C:\Program Files\McAfee\Temp2182784543\installer.exe
Filesize
2.5MB

MD5
4034e2003874264c50436da1b0437783

SHA1
e91861f167d61b3a72784e685a78a664522288c2

SHA256
471d799e2b2292dbdbc9aed0be57c51d8bb89725a944b965aeb03892493e8769

SHA512
f0923f9c6f111583358c4c4670c3e017da2182853f489d36e49efbb4ad0eed23bc420cecf9584a1df4cff30d1428cb745c6143eacd1ee4acb8cac7385bd3b080

Download Submit
C:\Program Files\McAfee\Temp2182784543\l10n.cab
Filesize
274KB

MD5
d2d49a3e1e9a75f4908d8bafeec64a8a

SHA1
7b73095c122d816f07d7372920025ee07a34452f

SHA256
ae57687e54b8f26ac9a233cb382a96a2f11b6ea3722feceab3fe6ef73e1a9cc7

SHA512
6bb7d5db7ae08d1bad860a2467da10d92794f73594ee20e044747f4129f4b2f89dcca1cd52662d5ad88c7279798b457585605c03dc7b9f1817fedf072dec5e8b

Download Submit
C:\Program Files\McAfee\Temp2182784543\logicmodule.cab
Filesize
1.4MB

MD5
d06127ffbd53a53c8c5a6dba9ef57a30

SHA1
4b0c999368e3c41cc4e5e15e2dec24528184955a

SHA256
96aaecb6da2013028e00b93895c3a7d9ee26f8e03e32bf4506d32218b02d8f0b

SHA512
dc5ccf8bee79c79eca3b8a106ac805e1254b613fc3449f417dd8bc18f76e96a9aa6d9d43680546dd85486fa802c54d10bea45ba4ac401ef41c19529e13a4b815

Download Submit
C:\Program Files\McAfee\Temp2182784543\logicscripts.cab
Filesize
57KB

MD5
f2158db4bebd54b26773c843729007a7

SHA1
94e4f3e571f9d65a9a273147752a6767477284bd

SHA256
2e8f526789472335dd0c9d847965c104153260aab2f42d4848648babd02a2b30

SHA512
7de44a11aa0cf50b497b189aa5ee30b0a204d6f47f1d584a8d265b227d64bb3c3f66bdd47f5ef60395ece010dbbb9b0d7af56bd27ff7c8b6b3a64f0758e4cd09

Download Submit
C:\Program Files\McAfee\Temp2182784543\lookupmanager.cab
Filesize
972KB

MD5
4701a16772d584dddf8d3fdf2a86ce68

SHA1
38537b682c25af63435b1a1166c3f484a2ee003b

SHA256
1c11af7968f51eece1682d1106630d5d87bb363b24088e976710518108e9ff3a

SHA512
c8c25202b86486eac7b24ac91860ee14153fd35c9bfd73ff4aab114d8bd95213a935276463081f70a5b8f5fadf100ea072f09486d4b07e7d4dc2b904c46fa064

Download Submit
C:\Program Files\McAfee\Temp2182784543\mfw-mwb.cab
Filesize
30KB

MD5
de22a82e15c63e0dd5d76f3784baf2e5

SHA1
6388f8ced47ff3f0fde51523e489c7c7d685367c

SHA256
127b786e92568718d16aac814f0472356e5a49ff44d6803cd79f8ac0bd91154e

SHA512
69227b9b6a77c4182756496faea49b7ca01865277896e77a58841f60ddbf716c3880ad797b2947a8e92fc8f0bf57e95da0cddba8065b322ab95b0081676ea184

Download Submit
C:\Program Files\McAfee\Temp2182784543\mfw-nps.cab
Filesize
33KB

MD5
d9ca680b1fcd3930a7e88164d29835ad

SHA1
46e5f1906e3535936326529c81bad3ca77eba700

SHA256
b32933bd6e5b2f0d2928e92546195120375bbc8da68533e577adf6c54ea4ec0a

SHA512
45614f889ec7b1c30f5186bf61d4d82705f9175604cd82972a29b612f6fa4eb230179506adfc14bcfd5097890c9ebb37db54a96f80e781e742fe35e8c68b17eb

Download Submit
C:\Program Files\McAfee\Temp2182784543\mfw-webadvisor.cab
Filesize
901KB

MD5
e0f5c3d03681587bc927a049a22dfeb6

SHA1
2bdc1c92cbe1576d356daacf409413fff410e827

SHA256
325e7d15f8b9e3988904fe796d7d6bfb714be50f64d1a760b9e11cf71fe9ee15

SHA512
43a914bc424c9e4b5e08b3f016525e9685b9231e7de135b40d1b6806363dc8891f497fce3116d491947487c03dc8bf07c30be0fc2afec20e774aa22d83a1ffbe

Download Submit
C:\Program Files\McAfee\Temp2182784543\mfw.cab
Filesize
310KB

MD5
4b0034ee6db1f4a2a76524f1cc7cc9f4

SHA1
44bc148e2dd5221e1b781bdb56a625588fce9f64

SHA256
36671f49627d8cf811064c59cbf37e43e409b6d8631898614470037edb53c431

SHA512
a90abd80a517bfde5cb365904ee85baf0f3f32558701e4548f2aeb44783f088bd3b969de2068a6b618bdaf501f5f38ec9440f31144d96dcb1b766d19a0579738

Download Submit
C:\Program Files\McAfee\Temp2182784543\resourcedll.cab
Filesize
50KB

MD5
332e2fb2256710f1847bbc4c42cc16c9

SHA1
22f9b2715821a12824e7b1d29344323c212a1527

SHA256
a05f3231e81d726f99fe7ca68810e73ea47ce84fcd7fa42c1a7f2742c1ff3f86

SHA512
c4901db8021c3911e5caca3dc75c8533c61dc1091303473992671c763f12406749551daccfc67931991dbb72d6c279f84cce0ea564157dc01c2159d6527a15c1

Download Submit
C:\Program Files\McAfee\Temp2182784543\servicehost.cab
Filesize
304KB

MD5
c876006d16cfdbb9abe9d2dbe51f923f

SHA1
277df779d8d282bc213eb787cf2c66c45446a528

SHA256
2b7af7a1af3b4d205ac5a83fe191dc143e4279bfaa08ce4d540ee25835e1f820

SHA512
d04042412a0455169eb505d9fecdcf18950c16dbea629a9c8637ef53d4806b11f6d219daede59bc687e1ae58b4376b5bdcbcf2fb529410eae75eae12516ec328

Download Submit
C:\Program Files\McAfee\Temp2182784543\settingmanager.cab
Filesize
759KB

MD5
e370a3a3c4c1d7981aed6c2ae814a5da

SHA1
844d66ffd67753aa2899b3f37c3ac82d35541715

SHA256
be149a650eae3a9fd6e023f04b220ea112262bdcca94198aaa77cfe9c2a145f3

SHA512
6fe49258810cfbc42a2bb77e77aab439f9ec1f4133c174379453bf80e14c40c63c45b9ea2d1e64596361e89dcabb9931dd6a2aa4ca883a4bb02c1263451e4f84

Download Submit
C:\Program Files\McAfee\Temp2182784543\taskmanager.cab
Filesize
1.2MB

MD5
683cdaf78b714119a46f6956b01b8790

SHA1
f4c2b54addff08403d57d5371a71ae51adced69c

SHA256
ce40ba45ddad3eaed3152f4a2ca857b057cb46070883d415736a11c121bbe514

SHA512
ea3807ad3c7d65d021d805e80128c6f2a5c23593f05970a3bc1bb03d0e9270bd5bbe0e693533b215c241b7e2a2d61f6b8997d684365ae14ef61f9e8210da39fa

Download Submit
C:\Program Files\McAfee\Temp2182784543\telemetry.cab
Filesize
88KB

MD5
a3e148e515f1e4bc5f7d5c333777a906

SHA1
07b32139c195efe473b0f4e31ea9b67bc17a22c5

SHA256
c0a66dd61574c1729fe80b1dd03555be4eeaf371b4a3b7cc8b6b12068d0db60c

SHA512
00700c422b432444a508ea473db102be2aaf6324a8a57457b6205cd218f6e9b9f9f87f30d32c578ce52d15bdabbd6386dfd74cf605b771bf87aa2c6ce541a330

Download Submit
C:\Program Files\McAfee\Temp2182784543\uihost.cab
Filesize
299KB

MD5
c1210174cef04ee040f75d715e39e389

SHA1
73756f3d81ac71d1135986d1ce71d1792b65e8bd

SHA256
e71b6af542475224a316bd6ecc9b6b7c2f250bb63b95c1f655fdd1b0d2e81bc8

SHA512
cc06678211b18e1e95a1b11c3f5cfc64da55dd11507814181b406fd4e7e65a3505b0ec4d07331aa1c7b8a6682165267f67633bdb9ff9d235660de23ac29a9d4c

Download Submit
C:\Program Files\McAfee\Temp2182784543\uimanager.cab
Filesize
1.6MB

MD5
ad4bbf75866c3a8157b1ce867cb1b336

SHA1
ea2f390bd2beebc47ccea52d691d96f17ae148dc

SHA256
85170669325888a07167c0017df4b2e1b72b4a90bb60714fc9f9a3dc517e4008

SHA512
f146f5f649c0950465798c3822a1dd35c79780b10acfdf15678a57322d3ff4993993bd88a16e8f96c109aa67361717919e5a8a6d399aed800a0c6e77fd274b00

Download Submit
C:\Program Files\McAfee\Temp2182784543\uninstaller.cab
Filesize
904KB

MD5
94efa76e5d44432624c9c2dd55dcdc43

SHA1
c30419e489724c1900fe6ca0564a7756b6266637

SHA256
f859700fd030c2a69a5cdb9f7c0d884248ce5c3cb37d84c9230d9b025ac5a29f

SHA512
6284d8449cbc5d29190290521e314b45f7965f816556d00c31076f1b61bfb01f74ee9bae06a6b04263ba5d2300901affd1a4965c09dfdc0355646e8e92949e2e

Download Submit
C:\Program Files\McAfee\Temp2182784543\updater.cab
Filesize
860KB

MD5
36a9937b4970ed88446aa09a204fb3de

SHA1
7a22d931f7c7313e046fc35f6ed9e8c861af241b

SHA256
e58cdfba1ec4940ce12a0791336e3f312c1e4e8b5916e528e3ead3a6c48db020

SHA512
107d64e3d5b24cf2b0ba52a389738a2566bdffb4633c1fe6aed2f90e0a50bdfec4493cd0b610bb0466e54acdb1eb40d02a73ff70db9df360c8297216c341f1d1

Download Submit
C:\Program Files\McAfee\Temp2182784543\wataskmanager.cab
Filesize
2.7MB

MD5
218696f93137dbe2dffbd3b478ce6f9c

SHA1
78a044f3a0800199caefb05c1ec2184c76475075

SHA256
f376195738911c09feda9b68e417d4523bc348990a31e3773458fc4f55ecbaf6

SHA512
c6328d23182b93a409b53af350a9c0356976b0119f9ad3fe2bacf4e2d167d8ab63f53cc240dd91f97da99259751447224d8c1e1884df68579d2fb79306b7417b

Download Submit
C:\Program Files\McAfee\Temp2182784543\webadvisor.cab
Filesize
22KB

MD5
a265b83be07a6a1aa8e400c6f4e00958

SHA1
1d81e5d7f8f01b426989abfcc62e01b56566dcc6

SHA256
25c2cd074f1891dc48da90fcaf6fa3940e55afcc641c0f586054de91fb158b19

SHA512
2624d46ce089e356589d139f4d9435ffba3895d8668a4b22bb4a4d8e41c4957e75c39d75972d31895930293a74696aaaafd3710f3935e7f90d1a39389c5c186d

Download Submit
C:\Program Files\McAfee\Temp2182784543\wssdep.cab
Filesize
587KB

MD5
9fe49495f568043598e473a2efbac339

SHA1
d872dbbefc5974a218c4246d49f29eb2e7da419c

SHA256
e1b6cbed8e517704b6451fc70bd3233443ee3a84c4e0e73f39bdf846cbc660ae

SHA512
28e09444ae4ab7b641419f4e483d16842759814be95b3e18806edacba92ee8363e349909cf4afe01ded535e96b38868cdc03761c38db2b2c4b6485c67adc47ef

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
310KB

MD5
c3b43e56db33516751b66ee531a162c9

SHA1
6b8a1680e9485060377750f79bc681e17a3cb72a

SHA256
040b2e0dea718124b36d76e1d8f591ff0dbca22f7fb11f52a2e6424218f4ecad

SHA512
4724f2f30e997f91893aabfa8bf1b5938c329927080e4cc72b81b4bb6db06fe35dae60d428d57355f03c46dd29f15db46ad2b1036247c0dcde688183ef11313a

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
6d27fe0704da042cdf69efa4fb7e4ec4

SHA1
48f44cf5fe655d7ef2eafbd43e8d52828f751f05

SHA256
0f74ef17c3170d6c48f442d8c81923185f3d54cb04158a4da78495c2ec31863e

SHA512
2c3587acab4461568ac746b4cdf36283d4cb2abe09fc7c085615384e92f813c28cf4fcb4f39ec67860eac9c0e4a5f15021aee712d21a682f8df654968ed40ea3

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
327KB

MD5
9d3d8cd27b28bf9f8b592e066b9a0a06

SHA1
9565df4bf2306900599ea291d9e938892fe2c43a

SHA256
97fe82b6ce5bc3ad96c8c5e242c86396accdf0f78ffc155ebc05f950597cdbd6

SHA512
acefc1552d16be14def7043b21ec026133aabd56f90800e131733c5b0c78316a4d9dc37d6b3093e537ce1974219154e8bd32204127a4ab4d4cd5f3041c6a8729

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
be90740a7ccd5651c445cfb4bd162cf9

SHA1
218be6423b6b5b1fbce9f93d02461c7ed2b33987

SHA256
44fa685d7b4868f94c9c51465158ea029cd1a4ceb5bfa918aa7dec2c528016e4

SHA512
a26869c152ed8df57b72f8261d33b909fb4d87d93dc0061bf010b69bad7b8c90c2f40a1338806c03d669b011c0cb5bbfcd429b7cd993df7d3229002becb658ad

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
418B

MD5
a96ecb560e2562b30de58c2d82e80185

SHA1
a37e59f97005900b0d40f4fbffeecb4acf213f0e

SHA256
49fa7e034b06612a7cdd86626dfb98eee888fdaac36a3710169a3d9376700710

SHA512
9d534bc29dbb1ec62db8a74ad907945ce74b0e0a9648f88f8ccb48c54e31b4137bd042061e0c0aa990b1c4744e58d1d4eb7f142c30168d4b40d29a1ef80d0867

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
defbb0a0d6b7718a9b0eaf5e7894a4b0

SHA1
0495a5eccd8690fac8810178117bf86ea366c8c3

SHA256
c3d2f7e0ad6fd26578595fb3f7c2b202ab6fba595d32dfa5c764922145db0788

SHA512
55dab7ae748a668a2bb57deb6fbff07e6056d97b6f88850890610ac135b8839d3c61f4dc505d3f32cc09a3ff2ce80ce663d0c830f9f399367dc03c92ea7ca89a

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
2KB

MD5
5f60839412cba8433cdf957ca97b5609

SHA1
e51ff1a7cef9c85d6a90942797ae404875025a15

SHA256
2c475dce1a40ffbf1d7404e2c99692fe2d3c6c5868a0b898ff5d773acc79b6d7

SHA512
49de8723ffb5d3df6a6063315f64e31a294650a4888f2a12d3b11bd844c2a4b59592c5dd5c1ee5ea4de66a00541b04e11806508ce0578b49838fcaa366c92d00

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
6KB

MD5
b7f126d1e43ff05c0c0217e1d2d02e8c

SHA1
8775b23632ba861b3e176310c7eba16084a17ab1

SHA256
f12ddbdf49ea721b98a1123ecb93cdf13f777c7fde24cf179f3b412ff7ad0f7d

SHA512
c91ed17697a54b3982ecc78471f8e38eaa59d0c6b3747e3d3d8bdf659436767fcfe826b2c80d112a05380f8f8ddf604d2e4ab241f89675fad4dfb7c95a9082c5

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
b18fbefc54145aa3918aedf63c694c2e

SHA1
7bb0941a25b828a69d4317d79a176c63f7d72e75

SHA256
96766da5dcb7e4b00e5794ce2e665a5983363b4734c9a4bb9b1bd60c895ac35f

SHA512
247ae61a3ccc37c5210f0e1270a61666bbd805a08d4de88c856adb64b4041ceac0ea669e41ac8fd23e21864bb5fe00544d3900d9b813a781f31bc687f3600a42

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
86c2f12bf8ff32b55fc3ef45dedefefe

SHA1
fea8b62b8d04f3d1ea7775108b4eb15bd564b8f3

SHA256
28bbcd62a1e04c9c8132e8731408736bf0c29ed33cc8ca6a0f1c40cc71c25605

SHA512
656ee1b82ccd7e7f16616f951282c3910f341f8f1d3794b98191e7e5384306017ca93f37a0aecd7a66239aace4a46ae174e871ae55bb79e2ad6b74caf184aecb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
467ccc4541c26bfd8ba546f3fd32df27

SHA1
54a2e451062cdc643f2c2ae726a7842fce1526b9

SHA256
b4cf5e825925e7e28ace9a8ecb5d1e1814ef8883135943bd5e22b572c13e0311

SHA512
ba28fd633697b1b70c711826e9d4fd6af789346243c08cc07ee90d845e0a51a689cfb763a6ffbd0b812c6b1b87c6dbcaca0e411f1d00218a63f4604873acf4bb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
3f3551a30083ca850c41d173f238a4d0

SHA1
34b2f66330be7542e17e94e226f28c1771990720

SHA256
e782196a4066a4529d11f4074f1d42454ac0fb72f881780abd48c033d213367d

SHA512
3a6bfaa1b5960538bdaaf3d49007e1ceac8dbe4e58cd54a3ece94ca4e1fa245cd1f19c6efdf2ef9b7575af50bf4ec81c663c4c11cc2e113a3bacb61f706c118e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
704bc6a20cac194e9208ad5562df8095

SHA1
e08687150bdc7afa613ab6b342d32fee7cca5676

SHA256
15a2f231119abdc30003cb1c157851fd90b257e1c0466960957de599716db609

SHA512
87fd54fe4d130f3957d5f05370f1a8aef5d7b22a2ca018fcd58ec8489ca5601b17786c5f8758730ae8ef709171bcb596d621618e70fa341cd27a1d56fd272c8e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
4f421e7fae9da396a4fa96ede044edb5

SHA1
40d510875063f170b06a3ffae2aeab615d65c463

SHA256
b3aca47b99a7b3a40ba5572d669d5bb4bc2c1277d2d2ec3a6c4fac0bce5a89ab

SHA512
219eba48730564d9f4b311a1d0b928424c3f501937a9827b977e88457f4d2a0a661287f21fb838156e8e928a7a5fd75317fbd3e288792f75a7b589112b87f8e0

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
65c19320c54219337d15b61abb397602

SHA1
e47ca0be0ee4cee01dd977ca96f30d5604002944

SHA256
0f01325bc830c961a75bca0216d8ea41659e054363329dc13613e802db32cf2c

SHA512
7431a180d93fd469ab65e033e326ef3b034857999ec7cbc918fb8a707566b0c63972abaa3d1813626bc6102ece6ed2bd0c4361539d47b8be30aa0fd90f8111e5

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
b190cd0b76650be64914315f810ed82a

SHA1
43daac8604e7a69429fcceb4ae52852246a0707d

SHA256
aa034370a503467b2239c330e469a1fb5113afbf202db9840868deb94a83dcaa

SHA512
2066e9d42ae5de4f4d625a01c13f4770bd0a0fd69d14a5a95084f758aa87fc2e924a23b3a443c6dce77a98728ec33e54eaf4cfba791137a0eed31666255e5a3f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
782aec7f856cea43af7f9f9b7dded4da

SHA1
34d0514db8df2f19fbf6c0106771e2545e902367

SHA256
6ddfca4d048a8c2c5462d949c8e689b13048c89d56af079341f3238c202f5f24

SHA512
513d9e984bb909d2fb6d251525f6a287e2d4ae35d5327b56c0d50ae78a5578d576fc61dd1f3f6b6d0361a468d3f6686963019db9c9d6b74b015265fd05b71c83

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
672B

MD5
62959812bd5a943703d0cb53c11b915c

SHA1
4a0c470dcc2c42c120ea6c0223252b61a283a019

SHA256
805326e214876dad3c7c9d2b476a5707e2aa525f38134658651d5b7b863e7ac2

SHA512
f5705a92bee829469cb1f10ebcc0976e7fe5bf1d73adb82b173e31c369401acdcde941ab82776a9a2473615f138eab8765df9dff25d54676d7ab4959b76b0b5a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
5a1567ac02f64907123ec936937d94e2

SHA1
62abd6e1f4a0465a8b0a305713b2306e66d8f75b

SHA256
0705916da91099cae98e29b0b69345b09ab416a17dcebb836d0f701c2642285b

SHA512
b36525572a53f7ce3b382356de10a5ca3e327dd1d7108359cd2c4544afa7b8bf5bc3b6e78dcaf76ee11f6049a19ee89c759636eb137eebbc9f55b01f3d054082

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
d35b53b57f71d9d5196c7a914c00ef0e

SHA1
9b346d96c209c23c95fdcdc96734a7f6d5045cc5

SHA256
2426f1b80b69c806918c6b2704e39b7dc07af044ed867f104c89d246c5f23c4f

SHA512
19357921d8f49845de515088ba61154bc4c2968809caf4f4a261307704e6843d17bdf5d4ccdf2d2ea39581c12633d285777c28efb2492024128f937498c3d009

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
260c36b2dd47cb17844a3bbe10398ecb

SHA1
a38c6f89c93df6d09ff1d919b3d9558e5cdac37e

SHA256
a9beccf96c03a8bc486aa690d7b27b16bf6693801e4d28c05270af1719977e65

SHA512
ed6b7f4b55a9dbcb76078dc0fafd48bd5af32bf72c12c313bdee59b0599c5d847ce9e7b115d4767ca1da59f72f345c3bd36bc4e77a0585d0f441fdcfba8b2bde

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
c49c17ef5cb62ad7fa5bd49ddf500bde

SHA1
d71b1d358898360f87006ce13e2f493d71d0d527

SHA256
fbddd30c8fea9264e06c4079eef3e6eba303d9eac5fcef1faba4a6cb2579039d

SHA512
db1cd636f26069cef93c87a2088d85e27ab06f0f11a34a241a2ef627b311c59717d46e703e950c7ebb8da373dea32ccf6be0b0170ec9aad1bfb8637b237c67ec

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
fa1a84f1372087330cd1c3cd33aafc80

SHA1
038199fb08e46e5a1beb9b5c62e85bf9c662c9f5

SHA256
5984877716205b5f63036c1ad34f6a067f067e6daf27d6465c00aac789df0574

SHA512
7f8b9bd37f854a2b2f65fd31391f0a5a22dfb89d73c04cb69c129088c730b4a2801c5773fcf100bb61171d9ec81741252ae31baee7dd4b412308500e9ea3132c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
7edc5aa4732e847c41259da8e0b621e5

SHA1
8599b804a6978935d3c72c2879e0c0530f95e990

SHA256
9dc5391e21dd3436888f00a093114801fded79cb2c42a638543d2ecb8296a1fc

SHA512
a8c0bef9bdb0d92ad585ddb56e7af84c956af66e61d42c16694a8e0dbd66f7dccb3783c4ab2240188df27a39ec909bf584260dfd939d6d244af5796e44c90d6f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
4d76e3ae7f133999fa9ee8a8f67115da

SHA1
2be4398b6b50e3a74f6b31a0e9c4424253c0cd89

SHA256
bdd56a013c4acbf582c0405826ed614041b2c2ebf8839fa3e2603a27175c6964

SHA512
a41e53176c481a94111e55e0da1eaf4af889ab0d3ba0015d98746236e088a19690be6119811a8a8947dc2d9080ff1e649d7563570d79619cee507f69012d96bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zq1k25a.exe
Filesize
1.9MB

MD5
434123c0afc644e95b0e32d499170efa

SHA1
a1849a7a5cbe3af28cd201a284439364a8b021bf

SHA256
910d09525bb0a331f1c7e94243b69113334e1225ce3203e0d74b3032dc473b36

SHA512
95ede7ec5bc19ed42b6e1e9bf0031ebbd8243e281c238899417e91878200fa436c349cb929b0cc129fcf0f9765badb5d6c72672163bc7cdcd886e5f879632f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\installer.exe
Filesize
27.5MB

MD5
d2272f3869d5b634f656047968c25ae6

SHA1
453c6ffa6ec3a0a25ae59a1b58a0d18b023edb16

SHA256
d89a2423da3704108861f190e1633d2100ecc30b4c40bd835ce54a6934887bc9

SHA512
41072ef6f382cf6d4d97ebc2a49a50a9bd41b53508a8586fd8d018e86aed135e8ac2cdd16bbf725e4f74f14ecfcf49789d3af8924b6d5dfa6b94dc6bf79a0785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\pivotsetup.exe
Filesize
17.8MB

MD5
a52c104395773710fab7f6264aced388

SHA1
87bf5c40fbac501bc272cb5343e7ae09b13bfdb1

SHA256
2852267832c4338f9ab2488add87c71be9e9b6fac50f3395915e7b9b6ab5cd11

SHA512
47eb7a1bd1c78961a8ab5a90896df6be0d57e253798033ba6caafaef6826414a08f6f8fe085faee7601d06acc00bec26c8c9e8da0da97168370e69fa27cf829f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\rsStubActivator.exe
Filesize
44KB

MD5
11ccdc9d724046284d05fca4995ffa88

SHA1
9906c3c7abe6df7dbcb8b440ec2cbe816af4b995

SHA256
988c672fc563763eeae8194bad6f12d482f93f71216403d197fb02874a5ec747

SHA512
33915e3e5a93573c269be053f927b035037a92f08606651b1d638c1cb45e6a3b8429359e39d5af5392f8956817cb165155d05b44d7a5391e837f90c4fb462a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pivot_Animator_files\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TRMJ0.tmp\pivotsetup.tmp
Filesize
702KB

MD5
1afbd25db5c9a90fe05309f7c4fbcf09

SHA1
baf330b5c249ca925b4ea19a52fe8b2c27e547fa

SHA256
3bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c

SHA512
3a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\Microsoft.Win32.TaskScheduler.dll
Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\RAVEndPointProtection-installer.exe
Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\fr-FR\RavStub.resources.dll
Filesize
12KB

MD5
3b5352ca4cb06dad6c6ce7f15b757810

SHA1
7ecb52ec5909fc6e9df2bf591d1a12cc33f8e842

SHA256
e59969a07f3aecc9303a8add6d1f36c058472342a98b1db274a1fd8e0ef6ca74

SHA512
d808f61552f1f59080e4a027075f4bc66afecdd78dd970fbf8dd25cfac65bc5c619d964dd14e41a5f6209154d1ea7a5d4943fe35c12f4e0892fe1267e47dcf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\rsAtom.dll
Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\rsJSON.dll
Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\rsLogger.dll
Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\rsStubLib.dll
Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\rsSyncSvc.exe
Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\1040b230\71b36fb1_3c93da01\rsServiceController.DLL
Filesize
174KB

MD5
d0779008ba2dc5aba2393f95435a6e8d

SHA1
14ccd0d7b6128cf11c58f15918b2598c5fefe503

SHA256
e74a387b85ee4346b983630b571d241749224d51b81b607f88f6f77559f9cb05

SHA512
931edd82977e9a58c6669287b38c1b782736574db88dad0cc6e0d722c6e810822b3cbe5689647a8a6f2b3692d0c348eb063e17abfa5580a66b17552c30176426

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\6db31430\71b36fb1_3c93da01\rsLogger.DLL
Filesize
179KB

MD5
b279550f2557481ae48e257f0964ae29

SHA1
53bef04258321ca30a6d36a7d3523032e3087a3e

SHA256
13fe4a20114cdf8cd3bba42eeaabe8d49be0b03eec423f530c890463014ccaaa

SHA512
f603cbac1f55ad4de7a561a1d9c27e33e36de00f09a18ff956456afec958f3e777277db74f0b25c6467e765d39175aa4fcdd38e87a3d666b608d983acb9321cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\cedc282b\71b36fb1_3c93da01\rsJSON.DLL
Filesize
219KB

MD5
d43100225a3f78936ca012047a215559

SHA1
c68013c5f929fe098a57870553c3204fd9617904

SHA256
cc5ea6c9c8a14c48a20715b6b3631cbf42f73b41b87d1fbb0462738ff80dc01a

SHA512
9633992a07ea61a9d7acd0723dbd715dbd384e01e268131df0534bcdfcd92f12e3decc76aa870ea4786314c0b939b41c5f9e591a18c4d9d0bad069f30acd833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\e0b1788a\fa506db1_3c93da01\rsAtom.DLL
Filesize
158KB

MD5
875e26eb233dbf556ddb71f1c4d89bb6

SHA1
62b5816d65db3de8b8b253a37412c02e9f46b0f9

SHA256
e62ac7163d7d48504992cd284630c8f94115c3718d60340ad9bb7ee5dd115b35

SHA512
54fdc659157667df4272ac11048f239101cb12b39b2bf049ef552b4e0ce3998ff627bf763e75b5c69cc0d4ef116bfe9043c9a22f2d923dbedddacf397e621035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssDA06.tmp\uninstall.ico
Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D6.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Roaming\Pivot Animator\Pivot.ini
Filesize
1KB

MD5
573b33ca99d63c9635b8402c453f3528

SHA1
8bbb88294cfdf64008d1b6c3a320e5895cf71482

SHA256
fc16649d1fb73208be8c08469c903101d9536e7bda51d772977a17286c87b677

SHA512
a5c756321e74c509cfd41630cbbede8c93f52900254183d8c5660cc925fc15a938ec0d847985f071431868a719b4a18f57fca27d77c6e7f7ce0685c321eb635e

Download Submit
C:\WINDOWS\FONTS\PIVOTCLASSICFONT.TTF
Filesize
12KB

MD5
32965780e3c3b53b1e2f8b82eb96da05

SHA1
85f817ef5d3150f4bf69e967d56a032f4521f79a

SHA256
f22de79fe47abd955f05c0ea0cc1586eb549c956f22616c051142f448fcd8f23

SHA512
046d7f36faff39650b29a7198dc3b4a5af1a94efa2cc807c5981023010c448ae5421be1055d0a5bf4c1b7d23214c5cf19e122be21eee49b11a774694be788605

Download Submit
memory/3480-61-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3480-248-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3652-43-0x000001FAD6E00000-0x000001FAD6E10000-memory.dmp

Filesize
64KB

Download
memory/3652-529-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/3652-2310-0x000001FAD6E00000-0x000001FAD6E10000-memory.dmp

Filesize
64KB

Download
memory/3652-42-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/3652-41-0x000001FABC810000-0x000001FABC818000-memory.dmp

Filesize
32KB

Download
memory/3824-250-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3824-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4380-235-0x0000000002230000-0x00000000024BC000-memory.dmp

Filesize
2.5MB

Download
memory/4860-3835-0x00000238D29F0000-0x00000238D29F1000-memory.dmp

Filesize
4KB

Download
memory/4860-9-0x000000001B5D0000-0x000000001B5F0000-memory.dmp

Filesize
128KB

Download
memory/4860-10-0x000000001C0C0000-0x000000001C0F2000-memory.dmp

Filesize
200KB

Download
memory/4860-8-0x000000001B5B0000-0x000000001B5C2000-memory.dmp

Filesize
72KB

Download
memory/4860-523-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/4860-3860-0x00000238D2A70000-0x00000238D2A82000-memory.dmp

Filesize
72KB

Download
memory/4860-3837-0x00000238D2A30000-0x00000238D2A3A000-memory.dmp

Filesize
40KB

Download
memory/4860-3836-0x00000238D0E70000-0x00000238D0E9E000-memory.dmp

Filesize
184KB

Download
memory/4860-3834-0x00000238EB430000-0x00000238EB440000-memory.dmp

Filesize
64KB

Download
memory/4860-3833-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/4860-3832-0x00000238D0E70000-0x00000238D0E9E000-memory.dmp

Filesize
184KB

Download
memory/4860-1-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/4860-39-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-38-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-6-0x000000001B600000-0x000000001B650000-memory.dmp

Filesize
320KB

Download
memory/4860-5-0x000000001BFB0000-0x000000001C0B2000-memory.dmp

Filesize
1.0MB

Download
memory/4860-4-0x000000001C390000-0x000000001C8B8000-memory.dmp

Filesize
5.2MB

Download
memory/4860-3-0x000000001B570000-0x000000001B580000-memory.dmp

Filesize
64KB

Download
memory/4860-2-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-37-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-36-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-33-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/4860-15-0x0000000020380000-0x00000000203C2000-memory.dmp

Filesize
264KB

Download
memory/4860-0-0x0000000000740000-0x00000000007E8000-memory.dmp

Filesize
672KB

Download
memory/4860-14-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-7-0x000000001C180000-0x000000001C232000-memory.dmp

Filesize
712KB

Download
memory/4860-13-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/4860-12-0x000000001B6B0000-0x000000001B6CA000-memory.dmp

Filesize
104KB

Download
memory/4860-11-0x000000001B650000-0x000000001B66E000-memory.dmp

Filesize
120KB

Download
memory/5064-326-0x00000147EEB30000-0x00000147EEB5A000-memory.dmp

Filesize
168KB

Download
memory/5064-2868-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/5064-313-0x00000147D44C0000-0x00000147D4548000-memory.dmp

Filesize
544KB

Download
memory/5064-312-0x00007FF8D8950000-0x00007FF8D9411000-memory.dmp

Filesize
10.8MB

Download
memory/5064-315-0x00000147D6100000-0x00000147D6140000-memory.dmp

Filesize
256KB

Download
memory/5064-317-0x00000147D6140000-0x00000147D6170000-memory.dmp

Filesize
192KB

Download
memory/5064-318-0x00000147EE9B0000-0x00000147EE9C0000-memory.dmp

Filesize
64KB

Download
memory/5064-320-0x00000147D60D0000-0x00000147D60D1000-memory.dmp

Filesize
4KB

Download
memory/5064-321-0x00000147D60B0000-0x00000147D60BA000-memory.dmp

Filesize
40KB

Download
memory/5064-323-0x00000147EE9C0000-0x00000147EE9FA000-memory.dmp

Filesize
232KB

Download
memory/5064-324-0x00000147D60A0000-0x00000147D60A1000-memory.dmp

Filesize
4KB

Download
memory/5064-3764-0x00000147EF2C0000-0x00000147EF2CE000-memory.dmp

Filesize
56KB

Download
memory/5064-3762-0x00000147EF150000-0x00000147EF151000-memory.dmp

Filesize
4KB

Download
memory/5064-3756-0x00000147EF3F0000-0x00000147EF41E000-memory.dmp

Filesize
184KB

Download
memory/5064-327-0x00000147D60C0000-0x00000147D60C1000-memory.dmp

Filesize
4KB

Download
memory/5064-332-0x00000147EEBC0000-0x00000147EEC18000-memory.dmp

Filesize
352KB

Download
memory/5064-3741-0x00000147EE9B0000-0x00000147EE9C0000-memory.dmp

Filesize
64KB

Download
memory/5064-3739-0x00000147EF0F0000-0x00000147EF0F1000-memory.dmp

Filesize
4KB

Download
memory/5064-3730-0x00000147EF310000-0x00000147EF33A000-memory.dmp

Filesize
168KB

Download
memory/5064-3715-0x00000147EF0E0000-0x00000147EF0E1000-memory.dmp

Filesize
4KB

Download
memory/5064-3707-0x00000147EF2B0000-0x00000147EF2E0000-memory.dmp

Filesize
192KB

Download
memory/5064-3699-0x00000147EF100000-0x00000147EF101000-memory.dmp

Filesize
4KB

Download
memory/5064-3685-0x00000147EF120000-0x00000147EF15A000-memory.dmp

Filesize
232KB

Download
memory/5064-3683-0x00000147EF0D0000-0x00000147EF0D1000-memory.dmp

Filesize
4KB

Download
memory/5064-3682-0x00000147EE9B0000-0x00000147EE9C0000-memory.dmp

Filesize
64KB

Download
memory/5064-3155-0x00000147EEFF0000-0x00000147EF040000-memory.dmp

Filesize
320KB

Download
memory/5500-1432-0x00007FF765F20000-0x00007FF765F30000-memory.dmp

Filesize
64KB

Download
memory/5500-566-0x00007FF77DA20000-0x00007FF77DA30000-memory.dmp

Filesize
64KB

Download
memory/5500-1443-0x00007FF7737F0000-0x00007FF773800000-memory.dmp

Filesize
64KB

Download
memory/5500-1446-0x00007FF76A1D0000-0x00007FF76A1E0000-memory.dmp

Filesize
64KB

Download
memory/5500-1444-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-1438-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-542-0x00007FF765F20000-0x00007FF765F30000-memory.dmp

Filesize
64KB

Download
memory/5500-543-0x00007FF77DA20000-0x00007FF77DA30000-memory.dmp

Filesize
64KB

Download
memory/5500-558-0x00007FF7737F0000-0x00007FF773800000-memory.dmp

Filesize
64KB

Download
memory/5500-598-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-603-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-620-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-677-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-686-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-715-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-871-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-693-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-723-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-760-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-762-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-766-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-782-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-823-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-849-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-787-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-779-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-768-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-729-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-1445-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-705-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-661-0x00007FF77DA20000-0x00007FF77DA30000-memory.dmp

Filesize
64KB

Download
memory/5500-1451-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-567-0x00007FF7737F0000-0x00007FF773800000-memory.dmp

Filesize
64KB

Download
memory/5500-1450-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-1449-0x00007FF765F20000-0x00007FF765F30000-memory.dmp

Filesize
64KB

Download
memory/5500-1435-0x00007FF77DA20000-0x00007FF77DA30000-memory.dmp

Filesize
64KB

Download
memory/5500-882-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-553-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-1433-0x00007FF77DA20000-0x00007FF77DA30000-memory.dmp

Filesize
64KB

Download
memory/5500-1436-0x00007FF765F20000-0x00007FF765F30000-memory.dmp

Filesize
64KB

Download
memory/5500-528-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-1434-0x00007FF719450000-0x00007FF719460000-memory.dmp

Filesize
64KB

Download
memory/5500-1429-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-497-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-1428-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-874-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-1426-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-1427-0x00007FF77C5E0000-0x00007FF77C5F0000-memory.dmp

Filesize
64KB

Download
memory/5500-909-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-1425-0x00007FF765F20000-0x00007FF765F30000-memory.dmp

Filesize
64KB

Download
memory/5500-1102-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-1311-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-1148-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-927-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-936-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-972-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5500-925-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-900-0x00007FF778FE0000-0x00007FF778FF0000-memory.dmp

Filesize
64KB

Download
memory/5500-906-0x00007FF731C60000-0x00007FF731C70000-memory.dmp

Filesize
64KB

Download
memory/5660-3738-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/5660-524-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download