zgrat | 10081bafe6ae40fa52e127f22eb09a316be5c9c481d5bc5662f9470cca76eb71

Analysis

max time kernel
600s
max time network
586s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
06-05-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cockroach-on-desktop-1.1-installer_R04-tM1.exe
Size

1.7MB
MD5

d2d704d41f42e5818225ff90dafc1d82
SHA1

36e4dc864509a3c321cbbf156006afd2917a5a0d
SHA256

10081bafe6ae40fa52e127f22eb09a316be5c9c481d5bc5662f9470cca76eb71
SHA512

90f99c1a1ce5a9f866e0abc85dfbdd53ce4086c45690040187efded7ead9be872e8266618c707466bcdf616d0b2863a1083d38092ea870ca5b3b99e124c39381
SSDEEP

24576:p7FUDowAyrTVE3U5F/pAZWZADi/VIX7rofRHYz2iVqnnxFr62k7kQ7:pBuZrEUbA+2XQpHm2iVyp

Score

10^/10

zgrat discovery persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002af65-2357.dat	family_zgrat_v1
behavioral1/files/0x000100000002af78-2348.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Downloads MZ/PE file

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log	rsWSC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_search\edge_search_ext_coachmark.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\tooltip_img_1_3.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\win32\downloadscan.dll	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-ko-KR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\eula-ru-RU.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\securesearchtoast.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\wa_install_check.png	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\eula-cs-CZ.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\wssanalyticsraw.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dataset.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\mcutil.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-da-DK.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\eula-nl-NL.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\wa-mwb-checklist.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-da-DK.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\eula-fr-CA.txt	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\Microsoft.Bcl.HashCode.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.MemoryMappedFiles.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\eula-pl-PL.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-dwtoast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\pushnotification.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-fr-FR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\eula-pt-BR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-shared-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Helper.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-bg.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\staticvalue.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\browserhost.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_onboarding\edge-ext-toast.html	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Data.Common.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\close_icon.png	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sk-SK.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\Temp1826870200\jslang\wa-res-install-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\minimize.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-pl-PL.js	installer.exe

Executes dropped EXE 20 IoCs

pid	Process
1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp
4476	component0.exe
408	saBSI.exe
5068	slejajqy.exe
644	RAVEndPointProtection-installer.exe
4988	rsSyncSvc.exe
4652	rsSyncSvc.exe
2020	installer.exe
2072	installer.exe
5292	ServiceHost.exe
5308	UIHost.exe
2724	updater.exe
4072	rsWSC.exe
5776	rsWSC.exe
4856	rsWSC.exe
3348	rsWSC.exe
3104	rsWSC.exe
1488	rsWSC.exe
4636	rsWSC.exe
3092	rsWSC.exe

Loads dropped DLL 16 IoCs

pid	Process
5068	slejajqy.exe
6056	regsvr32.exe
5388	regsvr32.exe
5256	regsvr32.exe
5292	ServiceHost.exe
5204	regsvr32.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5308	UIHost.exe
5308	UIHost.exe
5292	ServiceHost.exe
644	RAVEndPointProtection-installer.exe
644	RAVEndPointProtection-installer.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5676	1488	WerFault.exe	80
756	1488	WerFault.exe	80

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cockroach-on-desktop-1.1-installer_R04-tM1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	cockroach-on-desktop-1.1-installer_R04-tM1.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000009a58c47b1100557365727300640009000400efbec5522d60a65831852e0000006c0500000000010000000000000000003a000000000089d11c0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 8400310000000000a65838851100444f574e4c4f7e3100006c0009000400efbe9a58c47ba6583b852e000000525702000000010000000000000000004200000000006b6b020144006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000009a58b67e100041646d696e003c0009000400efbe9a58c47ba65831852e0000004a570200000001000000000000000000000000000000f4683100410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	explorer.exe
Key created	\Registry\User\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3608	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
408	saBSI.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5308	UIHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe
5292	ServiceHost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5048	fltmc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	component0.exe
Token: SeDebugPrivilege	644	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	644	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	644	RAVEndPointProtection-installer.exe
Token: SeDebugPrivilege	644	RAVEndPointProtection-installer.exe
Token: SeSecurityPrivilege	1056	wevtutil.exe
Token: SeBackupPrivilege	1056	wevtutil.exe
Token: SeLoadDriverPrivilege	5048	fltmc.exe
Token: SeSecurityPrivilege	2540	wevtutil.exe
Token: SeBackupPrivilege	2540	wevtutil.exe
Token: SeDebugPrivilege	4072	rsWSC.exe
Token: SeDebugPrivilege	5776	rsWSC.exe
Token: SeDebugPrivilege	4856	rsWSC.exe
Token: SeDebugPrivilege	3348	rsWSC.exe
Token: SeDebugPrivilege	3104	rsWSC.exe
Token: SeDebugPrivilege	1488	rsWSC.exe
Token: SeDebugPrivilege	4636	rsWSC.exe
Token: SeDebugPrivilege	3092	rsWSC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3608	explorer.exe
3608	explorer.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1488	1212	cockroach-on-desktop-1.1-installer_R04-tM1.exe	80
PID 1212 wrote to memory of 1488	1212	cockroach-on-desktop-1.1-installer_R04-tM1.exe	80
PID 1212 wrote to memory of 1488	1212	cockroach-on-desktop-1.1-installer_R04-tM1.exe	80
PID 1488 wrote to memory of 4476	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	83
PID 1488 wrote to memory of 4476	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	83
PID 1488 wrote to memory of 408	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	84
PID 1488 wrote to memory of 408	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	84
PID 1488 wrote to memory of 408	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	84
PID 4476 wrote to memory of 5068	4476	component0.exe	85
PID 4476 wrote to memory of 5068	4476	component0.exe	85
PID 4476 wrote to memory of 5068	4476	component0.exe	85
PID 5068 wrote to memory of 644	5068	slejajqy.exe	86
PID 5068 wrote to memory of 644	5068	slejajqy.exe	86
PID 644 wrote to memory of 4988	644	RAVEndPointProtection-installer.exe	88
PID 644 wrote to memory of 4988	644	RAVEndPointProtection-installer.exe	88
PID 1488 wrote to memory of 3108	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	92
PID 1488 wrote to memory of 3108	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	92
PID 1488 wrote to memory of 3108	1488	cockroach-on-desktop-1.1-installer_R04-tM1.tmp	92
PID 408 wrote to memory of 2020	408	saBSI.exe	91
PID 408 wrote to memory of 2020	408	saBSI.exe	91
PID 2020 wrote to memory of 2072	2020	installer.exe	94
PID 2020 wrote to memory of 2072	2020	installer.exe	94
PID 2072 wrote to memory of 2260	2072	installer.exe	95
PID 2072 wrote to memory of 2260	2072	installer.exe	95
PID 2260 wrote to memory of 6056	2260	regsvr32.exe	98
PID 2260 wrote to memory of 6056	2260	regsvr32.exe	98
PID 2260 wrote to memory of 6056	2260	regsvr32.exe	98
PID 2072 wrote to memory of 5388	2072	installer.exe	100
PID 2072 wrote to memory of 5388	2072	installer.exe	100
PID 2072 wrote to memory of 4276	2072	installer.exe	102
PID 2072 wrote to memory of 4276	2072	installer.exe	102
PID 4276 wrote to memory of 5256	4276	regsvr32.exe	104
PID 4276 wrote to memory of 5256	4276	regsvr32.exe	104
PID 4276 wrote to memory of 5256	4276	regsvr32.exe	104
PID 2072 wrote to memory of 5204	2072	installer.exe	105
PID 2072 wrote to memory of 5204	2072	installer.exe	105
PID 5292 wrote to memory of 5308	5292	ServiceHost.exe	108
PID 5292 wrote to memory of 5308	5292	ServiceHost.exe	108
PID 5292 wrote to memory of 2724	5292	ServiceHost.exe	109
PID 5292 wrote to memory of 2724	5292	ServiceHost.exe	109
PID 5292 wrote to memory of 5712	5292	ServiceHost.exe	110
PID 5292 wrote to memory of 5712	5292	ServiceHost.exe	110
PID 644 wrote to memory of 6028	644	RAVEndPointProtection-installer.exe	112
PID 644 wrote to memory of 6028	644	RAVEndPointProtection-installer.exe	112
PID 6028 wrote to memory of 5460	6028	rundll32.exe	113
PID 6028 wrote to memory of 5460	6028	rundll32.exe	113
PID 5460 wrote to memory of 5500	5460	runonce.exe	114
PID 5460 wrote to memory of 5500	5460	runonce.exe	114
PID 644 wrote to memory of 1056	644	RAVEndPointProtection-installer.exe	115
PID 644 wrote to memory of 1056	644	RAVEndPointProtection-installer.exe	115
PID 644 wrote to memory of 5048	644	RAVEndPointProtection-installer.exe	118
PID 644 wrote to memory of 5048	644	RAVEndPointProtection-installer.exe	118
PID 644 wrote to memory of 2540	644	RAVEndPointProtection-installer.exe	120
PID 644 wrote to memory of 2540	644	RAVEndPointProtection-installer.exe	120
PID 644 wrote to memory of 4072	644	RAVEndPointProtection-installer.exe	122
PID 644 wrote to memory of 4072	644	RAVEndPointProtection-installer.exe	122
PID 5292 wrote to memory of 2140	5292	ServiceHost.exe	127
PID 5292 wrote to memory of 2140	5292	ServiceHost.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cockroach-on-desktop-1.1-installer_R04-tM1.exe
"C:\Users\Admin\AppData\Local\Temp\cockroach-on-desktop-1.1-installer_R04-tM1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\is-48FAI.tmp\cockroach-on-desktop-1.1-installer_R04-tM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-48FAI.tmp\cockroach-on-desktop-1.1-installer_R04-tM1.tmp" /SL5="$60234,837550,832512,C:\Users\Admin\AppData\Local\Temp\cockroach-on-desktop-1.1-installer_R04-tM1.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component0.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component0.exe" -ip:"dui=1237b9d7-f804-4a48-834e-966087ebd757&dit=20240506164137&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\slejajqy.exe
      "C:\Users\Admin\AppData\Local\Temp\slejajqy.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\slejajqy.exe" /silent
        5⤵
        Drops file in Drivers directory
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        6⤵
        Executes dropped EXE
        
        PID:4988
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:6028
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:5460
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:5500
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
      - C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        6⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
      - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
- - C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Program Files\McAfee\Temp1826870200\installer.exe
        
        "C:\Program Files\McAfee\Temp1826870200\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6056
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5388
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5256
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        6⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5204
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /select,"C:\Users\Admin\Downloads\cockroach-on-desktop-1.1-installer.exe"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 836
    3⤵
    - Program crash
    PID:5676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 836
    3⤵
    - Program crash
    PID:756

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1488 -ip 1488
1⤵
PID:5308

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1488 -ip 1488
1⤵
PID:5180

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1826870200\analyticsmanager.cab

Filesize
2.0MB

MD5
b86746aabbaf37831a38b6eae5e3e256

SHA1
5c81a896b9a7e59cdff3d7e10de5ace243132e56

SHA256
70e35195fece6ebf6e97b76c460d67449c4785a1bd21f205908f995aa8c11a5e

SHA512
68e2f2359e6306a5ff3af0c348c2d452afa7a8766e10b2d36358eb30e70ed17f4b45b479b8be5585a91febbdda67cd2b96c225728ad32e9a54bad358269711e8

Download Submit
C:\Program Files\McAfee\Temp1826870200\analyticstelemetry.cab

Filesize
57KB

MD5
fc2f204b92db0e8daec09ae45cedbc96

SHA1
5d16a19f70224e97cfc383143ddbf5f6b5565f19

SHA256
22f38866a64fcc685be87a949f17d0bc85d20c9d5f6aec1ad469d59f099383c6

SHA512
32fd7845c34ff4df8b7ec5d041c4de1a577cb686d7b6b9bfe10897edd1b5dab503ff1fd5b6e729f0a081fff41d5b273cbd188dd7952c27366cf3f5c3b3fd3637

Download Submit
C:\Program Files\McAfee\Temp1826870200\browserhost.cab

Filesize
1.2MB

MD5
047cd507df3d47ad5b4580f92cca8462

SHA1
a3cba758d2c3a435d8b4841ed7874d3dae98affa

SHA256
d1ca37407ee6c256a2d174da8139dae1b5f3b681540763e4208073646dc3f85a

SHA512
beee3e3b0606c8620370033da292f8d177fc4c8556dc7c952bc9a56a1ad446e36cb425c2f849741a24f3ebce6b814e213ab051e31283f16854069b7b83289c74

Download Submit
C:\Program Files\McAfee\Temp1826870200\browserplugin.cab

Filesize
4.9MB

MD5
f2e0ad0cf39154cf59faef9c055fceda

SHA1
31558e4be53bbd90c955b60bab3b4bb7c29c3442

SHA256
5c98127edc5094fba4ab2c640dabadac9365ccf127446ac28db1de31553fbf67

SHA512
c4054146296f69cea8b628c63941b70713e479e75ae21e982113d7a5ed561099070cf3f8e01ffe307e0d6b5e975a111515282e1532204e98fe1d85c2815056b7

Download Submit
C:\Program Files\McAfee\Temp1826870200\downloadscan.cab

Filesize
2.1MB

MD5
3f53a18999723022ce0163cf0b79bddf

SHA1
9722ac18848575fe7922661c6b967163647b004f

SHA256
c03a9c8f4c8840d3d6620bce28007e0f9b738418d690247f2116f3f28ff9249f

SHA512
faeba2e5cead1388a348d20f671f136faaa17f1b5677dd8aedfbbba01b99f4c15020888520e15f88e946bc0b3aec8d14f24729ee37ed440a0e87151b72a2e6a0

Download Submit
C:\Program Files\McAfee\Temp1826870200\eventmanager.cab

Filesize
1.4MB

MD5
98f1341ed360f6d676a110fab895669a

SHA1
7695c908aec695a7f17fbe0a7474aa6f8250c960

SHA256
b6ba85209c76fc850130c6bde2fb58ea4bf92a54c68670e5e4445a7fe0337cfa

SHA512
8d46ce3f7972ecee7003d5dde16b614656197949a2c6a170398c9a0f246d2ba6ffd0c75caf115a697ded4618ac09defe36c6c157245abe8288483e6a808faf24

Download Submit
C:\Program Files\McAfee\Temp1826870200\installer.exe

Filesize
2.5MB

MD5
4034e2003874264c50436da1b0437783

SHA1
e91861f167d61b3a72784e685a78a664522288c2

SHA256
471d799e2b2292dbdbc9aed0be57c51d8bb89725a944b965aeb03892493e8769

SHA512
f0923f9c6f111583358c4c4670c3e017da2182853f489d36e49efbb4ad0eed23bc420cecf9584a1df4cff30d1428cb745c6143eacd1ee4acb8cac7385bd3b080

Download Submit
C:\Program Files\McAfee\Temp1826870200\l10n.cab

Filesize
274KB

MD5
d2d49a3e1e9a75f4908d8bafeec64a8a

SHA1
7b73095c122d816f07d7372920025ee07a34452f

SHA256
ae57687e54b8f26ac9a233cb382a96a2f11b6ea3722feceab3fe6ef73e1a9cc7

SHA512
6bb7d5db7ae08d1bad860a2467da10d92794f73594ee20e044747f4129f4b2f89dcca1cd52662d5ad88c7279798b457585605c03dc7b9f1817fedf072dec5e8b

Download Submit
C:\Program Files\McAfee\Temp1826870200\logicmodule.cab

Filesize
1.4MB

MD5
d06127ffbd53a53c8c5a6dba9ef57a30

SHA1
4b0c999368e3c41cc4e5e15e2dec24528184955a

SHA256
96aaecb6da2013028e00b93895c3a7d9ee26f8e03e32bf4506d32218b02d8f0b

SHA512
dc5ccf8bee79c79eca3b8a106ac805e1254b613fc3449f417dd8bc18f76e96a9aa6d9d43680546dd85486fa802c54d10bea45ba4ac401ef41c19529e13a4b815

Download Submit
C:\Program Files\McAfee\Temp1826870200\logicscripts.cab

Filesize
57KB

MD5
f2158db4bebd54b26773c843729007a7

SHA1
94e4f3e571f9d65a9a273147752a6767477284bd

SHA256
2e8f526789472335dd0c9d847965c104153260aab2f42d4848648babd02a2b30

SHA512
7de44a11aa0cf50b497b189aa5ee30b0a204d6f47f1d584a8d265b227d64bb3c3f66bdd47f5ef60395ece010dbbb9b0d7af56bd27ff7c8b6b3a64f0758e4cd09

Download Submit
C:\Program Files\McAfee\Temp1826870200\lookupmanager.cab

Filesize
972KB

MD5
4701a16772d584dddf8d3fdf2a86ce68

SHA1
38537b682c25af63435b1a1166c3f484a2ee003b

SHA256
1c11af7968f51eece1682d1106630d5d87bb363b24088e976710518108e9ff3a

SHA512
c8c25202b86486eac7b24ac91860ee14153fd35c9bfd73ff4aab114d8bd95213a935276463081f70a5b8f5fadf100ea072f09486d4b07e7d4dc2b904c46fa064

Download Submit
C:\Program Files\McAfee\Temp1826870200\mfw-mwb.cab

Filesize
30KB

MD5
de22a82e15c63e0dd5d76f3784baf2e5

SHA1
6388f8ced47ff3f0fde51523e489c7c7d685367c

SHA256
127b786e92568718d16aac814f0472356e5a49ff44d6803cd79f8ac0bd91154e

SHA512
69227b9b6a77c4182756496faea49b7ca01865277896e77a58841f60ddbf716c3880ad797b2947a8e92fc8f0bf57e95da0cddba8065b322ab95b0081676ea184

Download Submit
C:\Program Files\McAfee\Temp1826870200\mfw-nps.cab

Filesize
33KB

MD5
d9ca680b1fcd3930a7e88164d29835ad

SHA1
46e5f1906e3535936326529c81bad3ca77eba700

SHA256
b32933bd6e5b2f0d2928e92546195120375bbc8da68533e577adf6c54ea4ec0a

SHA512
45614f889ec7b1c30f5186bf61d4d82705f9175604cd82972a29b612f6fa4eb230179506adfc14bcfd5097890c9ebb37db54a96f80e781e742fe35e8c68b17eb

Download Submit
C:\Program Files\McAfee\Temp1826870200\mfw-webadvisor.cab

Filesize
901KB

MD5
e0f5c3d03681587bc927a049a22dfeb6

SHA1
2bdc1c92cbe1576d356daacf409413fff410e827

SHA256
325e7d15f8b9e3988904fe796d7d6bfb714be50f64d1a760b9e11cf71fe9ee15

SHA512
43a914bc424c9e4b5e08b3f016525e9685b9231e7de135b40d1b6806363dc8891f497fce3116d491947487c03dc8bf07c30be0fc2afec20e774aa22d83a1ffbe

Download Submit
C:\Program Files\McAfee\Temp1826870200\mfw.cab

Filesize
310KB

MD5
4b0034ee6db1f4a2a76524f1cc7cc9f4

SHA1
44bc148e2dd5221e1b781bdb56a625588fce9f64

SHA256
36671f49627d8cf811064c59cbf37e43e409b6d8631898614470037edb53c431

SHA512
a90abd80a517bfde5cb365904ee85baf0f3f32558701e4548f2aeb44783f088bd3b969de2068a6b618bdaf501f5f38ec9440f31144d96dcb1b766d19a0579738

Download Submit
C:\Program Files\McAfee\Temp1826870200\resourcedll.cab

Filesize
50KB

MD5
332e2fb2256710f1847bbc4c42cc16c9

SHA1
22f9b2715821a12824e7b1d29344323c212a1527

SHA256
a05f3231e81d726f99fe7ca68810e73ea47ce84fcd7fa42c1a7f2742c1ff3f86

SHA512
c4901db8021c3911e5caca3dc75c8533c61dc1091303473992671c763f12406749551daccfc67931991dbb72d6c279f84cce0ea564157dc01c2159d6527a15c1

Download Submit
C:\Program Files\McAfee\Temp1826870200\servicehost.cab

Filesize
304KB

MD5
c876006d16cfdbb9abe9d2dbe51f923f

SHA1
277df779d8d282bc213eb787cf2c66c45446a528

SHA256
2b7af7a1af3b4d205ac5a83fe191dc143e4279bfaa08ce4d540ee25835e1f820

SHA512
d04042412a0455169eb505d9fecdcf18950c16dbea629a9c8637ef53d4806b11f6d219daede59bc687e1ae58b4376b5bdcbcf2fb529410eae75eae12516ec328

Download Submit
C:\Program Files\McAfee\Temp1826870200\settingmanager.cab

Filesize
759KB

MD5
e370a3a3c4c1d7981aed6c2ae814a5da

SHA1
844d66ffd67753aa2899b3f37c3ac82d35541715

SHA256
be149a650eae3a9fd6e023f04b220ea112262bdcca94198aaa77cfe9c2a145f3

SHA512
6fe49258810cfbc42a2bb77e77aab439f9ec1f4133c174379453bf80e14c40c63c45b9ea2d1e64596361e89dcabb9931dd6a2aa4ca883a4bb02c1263451e4f84

Download Submit
C:\Program Files\McAfee\Temp1826870200\taskmanager.cab

Filesize
1.2MB

MD5
683cdaf78b714119a46f6956b01b8790

SHA1
f4c2b54addff08403d57d5371a71ae51adced69c

SHA256
ce40ba45ddad3eaed3152f4a2ca857b057cb46070883d415736a11c121bbe514

SHA512
ea3807ad3c7d65d021d805e80128c6f2a5c23593f05970a3bc1bb03d0e9270bd5bbe0e693533b215c241b7e2a2d61f6b8997d684365ae14ef61f9e8210da39fa

Download Submit
C:\Program Files\McAfee\Temp1826870200\telemetry.cab

Filesize
88KB

MD5
a3e148e515f1e4bc5f7d5c333777a906

SHA1
07b32139c195efe473b0f4e31ea9b67bc17a22c5

SHA256
c0a66dd61574c1729fe80b1dd03555be4eeaf371b4a3b7cc8b6b12068d0db60c

SHA512
00700c422b432444a508ea473db102be2aaf6324a8a57457b6205cd218f6e9b9f9f87f30d32c578ce52d15bdabbd6386dfd74cf605b771bf87aa2c6ce541a330

Download Submit
C:\Program Files\McAfee\Temp1826870200\uihost.cab

Filesize
299KB

MD5
c1210174cef04ee040f75d715e39e389

SHA1
73756f3d81ac71d1135986d1ce71d1792b65e8bd

SHA256
e71b6af542475224a316bd6ecc9b6b7c2f250bb63b95c1f655fdd1b0d2e81bc8

SHA512
cc06678211b18e1e95a1b11c3f5cfc64da55dd11507814181b406fd4e7e65a3505b0ec4d07331aa1c7b8a6682165267f67633bdb9ff9d235660de23ac29a9d4c

Download Submit
C:\Program Files\McAfee\Temp1826870200\uimanager.cab

Filesize
1.6MB

MD5
ad4bbf75866c3a8157b1ce867cb1b336

SHA1
ea2f390bd2beebc47ccea52d691d96f17ae148dc

SHA256
85170669325888a07167c0017df4b2e1b72b4a90bb60714fc9f9a3dc517e4008

SHA512
f146f5f649c0950465798c3822a1dd35c79780b10acfdf15678a57322d3ff4993993bd88a16e8f96c109aa67361717919e5a8a6d399aed800a0c6e77fd274b00

Download Submit
C:\Program Files\McAfee\Temp1826870200\uninstaller.cab

Filesize
904KB

MD5
94efa76e5d44432624c9c2dd55dcdc43

SHA1
c30419e489724c1900fe6ca0564a7756b6266637

SHA256
f859700fd030c2a69a5cdb9f7c0d884248ce5c3cb37d84c9230d9b025ac5a29f

SHA512
6284d8449cbc5d29190290521e314b45f7965f816556d00c31076f1b61bfb01f74ee9bae06a6b04263ba5d2300901affd1a4965c09dfdc0355646e8e92949e2e

Download Submit
C:\Program Files\McAfee\Temp1826870200\updater.cab

Filesize
860KB

MD5
36a9937b4970ed88446aa09a204fb3de

SHA1
7a22d931f7c7313e046fc35f6ed9e8c861af241b

SHA256
e58cdfba1ec4940ce12a0791336e3f312c1e4e8b5916e528e3ead3a6c48db020

SHA512
107d64e3d5b24cf2b0ba52a389738a2566bdffb4633c1fe6aed2f90e0a50bdfec4493cd0b610bb0466e54acdb1eb40d02a73ff70db9df360c8297216c341f1d1

Download Submit
C:\Program Files\McAfee\Temp1826870200\wataskmanager.cab

Filesize
2.7MB

MD5
218696f93137dbe2dffbd3b478ce6f9c

SHA1
78a044f3a0800199caefb05c1ec2184c76475075

SHA256
f376195738911c09feda9b68e417d4523bc348990a31e3773458fc4f55ecbaf6

SHA512
c6328d23182b93a409b53af350a9c0356976b0119f9ad3fe2bacf4e2d167d8ab63f53cc240dd91f97da99259751447224d8c1e1884df68579d2fb79306b7417b

Download Submit
C:\Program Files\McAfee\Temp1826870200\webadvisor.cab

Filesize
22KB

MD5
a265b83be07a6a1aa8e400c6f4e00958

SHA1
1d81e5d7f8f01b426989abfcc62e01b56566dcc6

SHA256
25c2cd074f1891dc48da90fcaf6fa3940e55afcc641c0f586054de91fb158b19

SHA512
2624d46ce089e356589d139f4d9435ffba3895d8668a4b22bb4a4d8e41c4957e75c39d75972d31895930293a74696aaaafd3710f3935e7f90d1a39389c5c186d

Download Submit
C:\Program Files\McAfee\Temp1826870200\wssdep.cab

Filesize
587KB

MD5
9fe49495f568043598e473a2efbac339

SHA1
d872dbbefc5974a218c4246d49f29eb2e7da419c

SHA256
e1b6cbed8e517704b6451fc70bd3233443ee3a84c4e0e73f39bdf846cbc660ae

SHA512
28e09444ae4ab7b641419f4e483d16842759814be95b3e18806edacba92ee8363e349909cf4afe01ded535e96b38868cdc03761c38db2b2c4b6485c67adc47ef

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll

Filesize
6.2MB

MD5
aabd7f09ca59ce97232e22fad36ca60c

SHA1
7010e77331025522157cbb4e990247c76e9fe85f

SHA256
c6d41694939d0dd14971a54e53537a48f45b530016691d37a6970cdedd69a870

SHA512
c0522b6216dfd775a6d5b0e3fd1829ad83be863d4c73b67ee88669cbc1934437a31c37e2d91f75128f03eadfabb7f501a8b03727944293fd129685a1478bc7ee

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

Filesize
868KB

MD5
29ba713298e618380f5a80020784ac4d

SHA1
008d5c53fced7ca79e466efc2248714f600325ce

SHA256
77e445cd4ac65128393c6fbe185172c23a7713adfb2a37d13c5f00ac7421060c

SHA512
59f296df9a367648fbfa6d8838cc9a7e4e64e5439e5a280c15f3556b58e583204a6f96849b1f74125e9cf9b04a44954a0730a8f3b9e8870801c13f06da356fc9

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

Filesize
1.8MB

MD5
493314074e79e0defc29402139863a2f

SHA1
b60accd362e5b55b888aadc9aea2e82022021f0a

SHA256
f947dcd7b9131b95703cb71d0c9206ee388fc6550a9652874f881b0848712f11

SHA512
b3a25e482d7895e2ddcca2799416224938a196d1706374bab2024a8dab3cb7a8a7f821b3ba98a7b43e9490369213f3ec48d74e259674a1c864ea0e4365fb2cfa

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll

Filesize
2.9MB

MD5
7e7b5cb51baa2284fe8855edf47a2988

SHA1
dc0fc8d0833e8a8e75f30729c99c60fe2e6d5f00

SHA256
96bcdc1c112a1ced2a15856ff7bc9e95b5b34caebd7e1481448107a610e3fa04

SHA512
c00d29ec573a931ad7c2a55313b009090637c3000d76736fb4ba4b10739c4287046a10a7e40b9590a21b96e01239517a5bf17c253943b67da53b8087878a6063

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

Filesize
646KB

MD5
71a78b5187b533b6441388e199f9758a

SHA1
0d07d9f17397f61ca8851af837a32c6f83a78bd0

SHA256
06483f4a360168de5c85a4729578e998dea4270a76d28439a20a41135e94eaa1

SHA512
c0bcac6a7fb15cd3fe861ec450baaad00068d7e1b511f7d1aa6c1c8bacd6f04eb80105132e37b6e99669d62f53f0d63e13c040df2f863f5a12206f1388c79ff0

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll

Filesize
3.3MB

MD5
07f9b6b59b48c9763c497c18d4d1675b

SHA1
9575059e0e95bfc8431427869cff7be76b1b5ff3

SHA256
17c8b31c53714b52beb2f576f3f0c0b9642dbcdd39c9851c4e567e314acf44bc

SHA512
9e2fa53271e0ca00adc289022466e930e68f3c215227fc30269b4fa2cb984280ca9decd9315c832c4da805f90f1fc7cd04cc6fd39da177f032f52a1d55da1ebd

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

Filesize
803KB

MD5
0f02e3217603077af6e4590c61427d8b

SHA1
e7c7102b621f6e84d3fa5d48a64b9bc3af518698

SHA256
e4b71441526318bc3b271cb1a0c858077911a95d13fdf68ed7b97dd3a4f2f86b

SHA512
1e3c0304995eec01bcdddcc89d3be9ec14d496ffd879dc106ec75f21ef4ac184ff0436d780530561955d9aa7aa4f0a7a63916f8a02a8756e7303af27a904e194

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
310KB

MD5
c3b43e56db33516751b66ee531a162c9

SHA1
6b8a1680e9485060377750f79bc681e17a3cb72a

SHA256
040b2e0dea718124b36d76e1d8f591ff0dbca22f7fb11f52a2e6424218f4ecad

SHA512
4724f2f30e997f91893aabfa8bf1b5938c329927080e4cc72b81b4bb6db06fe35dae60d428d57355f03c46dd29f15db46ad2b1036247c0dcde688183ef11313a

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
6d27fe0704da042cdf69efa4fb7e4ec4

SHA1
48f44cf5fe655d7ef2eafbd43e8d52828f751f05

SHA256
0f74ef17c3170d6c48f442d8c81923185f3d54cb04158a4da78495c2ec31863e

SHA512
2c3587acab4461568ac746b4cdf36283d4cb2abe09fc7c085615384e92f813c28cf4fcb4f39ec67860eac9c0e4a5f15021aee712d21a682f8df654968ed40ea3

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
327KB

MD5
9d3d8cd27b28bf9f8b592e066b9a0a06

SHA1
9565df4bf2306900599ea291d9e938892fe2c43a

SHA256
97fe82b6ce5bc3ad96c8c5e242c86396accdf0f78ffc155ebc05f950597cdbd6

SHA512
acefc1552d16be14def7043b21ec026133aabd56f90800e131733c5b0c78316a4d9dc37d6b3093e537ce1974219154e8bd32204127a4ab4d4cd5f3041c6a8729

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
5KB

MD5
be90740a7ccd5651c445cfb4bd162cf9

SHA1
218be6423b6b5b1fbce9f93d02461c7ed2b33987

SHA256
44fa685d7b4868f94c9c51465158ea029cd1a4ceb5bfa918aa7dec2c528016e4

SHA512
a26869c152ed8df57b72f8261d33b909fb4d87d93dc0061bf010b69bad7b8c90c2f40a1338806c03d669b011c0cb5bbfcd429b7cd993df7d3229002becb658ad

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
239B

MD5
1264314190d1e81276dde796c5a3537c

SHA1
ab1c69efd9358b161ec31d7701d26c39ee708d57

SHA256
8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5

SHA512
a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
defbb0a0d6b7718a9b0eaf5e7894a4b0

SHA1
0495a5eccd8690fac8810178117bf86ea366c8c3

SHA256
c3d2f7e0ad6fd26578595fb3f7c2b202ab6fba595d32dfa5c764922145db0788

SHA512
55dab7ae748a668a2bb57deb6fbff07e6056d97b6f88850890610ac135b8839d3c61f4dc505d3f32cc09a3ff2ce80ce663d0c830f9f399367dc03c92ea7ca89a

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
2KB

MD5
e07a2708aeec9232acba063b04582f28

SHA1
af8d55cf27493049f4079326db9aaaa63fa94b3d

SHA256
8dc6ed8dca8d86d4043491e5ac058472763ea2ce51396cb91fbce0ded204bc4d

SHA512
d26b0a2b8c60e345933e84695d3861b894726f46bdc9dd4946d8840e019e8a8fb9c0d86f585664a5e45ecd6e89232a3e756bd010d8f6d0758b1c85a48c5e693a

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
17KB

MD5
4f14d4e4ffab6de42ebb4cc18e209d44

SHA1
28bd54282179832745685dc61d8c8532816151b5

SHA256
03907f59de3a939e30e5ea136ff0ed02bbe3580ea3732aac89851bdc8aaddebe

SHA512
9dba3a28ce98a041ad4cf6f867855299f28ee03847ff34eeb610f4f32021e8d6d389a49e6db080b944ddc94e0a9d280d61067ab842d1e0c47f17b7a5cb78dfde

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
55e7470dc0ab551736b7829eb86415c2

SHA1
f8d6afbfccd5746e94cb588c97dc4c84f400a309

SHA256
40ec0b23dac7d0b783cfe00e023b9a6758b31b32f3a028468c4806ff3c6b0616

SHA512
c2809db54d9638dcd9d7940596b9a9993659fb1c41d01b508f2a9241d309894e6ed94d0bdf0b79c2106cdd790c09329b634ca1546d4079375fe1ba9f7a074cc6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
81147e9c52b52bab20d2e85edd073d73

SHA1
dda8159f5504ea147243925785f0e8de19f415a1

SHA256
a5ea721b0e33adb8e578ecba24bccb4c696604cfe57053b049bf6bb25aa70634

SHA512
e1b01a0fbc4c87166e35a9b6bf002e8abfc0a727184c33fd1d7dc09e37be780d1af1843f4aee2a0093031cfd0f811da4aec17257c708682f18c4e4d48303a4c3

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
ae18a5404f1fa3cf6186542d990b7307

SHA1
9ab4d045cff1071148e06c0dbaad24de888e1c28

SHA256
38a7222f32bd7e477b5c11e0c0fe66810d2c42962f9e042ffd42509538b8cb0b

SHA512
9856309067f0fd46cc2494be1699abdd906063c2e37e5940da78aeb043435e9aba254104a8609b842da2813a65cd61ae76156f83882820b060ceb1bd4a2979be

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
e8c93147ac1250034b1c3ca818c9d77a

SHA1
b83bfbeab5ee723b8eb81dddd61c16446b8ee258

SHA256
7dd3f85a5bc52a652a6f52e87acd9bbdda1afcd97cc4686e745732910623f6b9

SHA512
fcb14afc368a844eb128059951c5cd8d99e6d922d9983a23358c034c469b0ee22d0a7fb58443b536c0045fe52675f2d40e8770aa32b12f29d5dcfd45fb9bd229

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
967023b7a80858d1a9e09de47d46bbe8

SHA1
c3ff95c4900529be8dfc4eec2af821b8cd595748

SHA256
c88ce80ef7bb6526d7f0f0ac7547e75548314e011098d2a3ae10ff3dce5683f1

SHA512
a3a37eb77c7e8401cdc768c8ce00433f320ab04f0c566a03ff57dafaf9b7fde8378b6811790688de658522db06c124128b97a60851ab4dc9911617bc56667d22

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
9037a3b4b74075a0e19a3f2702ba5341

SHA1
12ec20e46667054df520be70681cbd3a65d5b2fa

SHA256
63f8f983cc3c0d5c9ee59d4ce01add1605d39ea57675208f173e2030569329bf

SHA512
5c1a122c52050f38661f99f4cc7d8ef030fd137efc20cc153e91cae1db6dfe83a58eaa74b3f15b999481fee5094d4e8e17673d9d1e6392a10a49701acdea6f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
a4a51849fb2a61a15ee7c504377dbe8b

SHA1
c2d36e9c471592e18ee945a96de4250e558727f5

SHA256
9d141ae5c1efe48efec779c91f171face9def6acd84215b76f989276f7138c0f

SHA512
1c735804587bdc255ade52bf2d0cfb628aba98d170a86278a8adc78ba8ed7240849fa66e1f5243a6bc967bf88207130361a033b88ffc1d499fbd2a291ca908ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-48FAI.tmp\cockroach-on-desktop-1.1-installer_R04-tM1.tmp

Filesize
3.1MB

MD5
bb3f3ea14a7c59b444f886ceb359d130

SHA1
11d680853f62496adf1d303173b1bb86112f14cb

SHA256
9273dc8b86025fd60774bf1bf108d9207686c93217ed50489a2ed94a06e55ab8

SHA512
e9584443b0606ab109452bc43192e325c4f2d2795acd1386db71a2a1f9bb36e6a92bc6992c9b5648ef4bf91f928b5a3484b43645417c701de371f5450bc0b5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\RAV_Cross.png

Filesize
56KB

MD5
4167c79312b27c8002cbeea023fe8cb5

SHA1
fda8a34c9eba906993a336d01557801a68ac6681

SHA256
c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8

SHA512
4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\WebAdvisor.png

Filesize
46KB

MD5
5fd73821f3f097d177009d88dfd33605

SHA1
1bacbbfe59727fa26ffa261fb8002f4b70a7e653

SHA256
a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

SHA512
1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component0.exe

Filesize
44KB

MD5
2ac9d4efc1581eca6cb8fc9401020176

SHA1
161e82b690ebd00dd72fab3e986c59da170347fb

SHA256
aff758894293c62043ec37ce2077c4703ac7f03e7480436f923183b3a8391a63

SHA512
57197a2eb9689b21309cbe2401e901bd713f2bb797c3d8f5721236b61dfd11b0b03ec55b2587559cb775771aa56d74c03aeb469cd19bcba8a547147f213dde2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\installer.exe

Filesize
27.5MB

MD5
d2272f3869d5b634f656047968c25ae6

SHA1
453c6ffa6ec3a0a25ae59a1b58a0d18b023edb16

SHA256
d89a2423da3704108861f190e1633d2100ecc30b4c40bd835ce54a6934887bc9

SHA512
41072ef6f382cf6d4d97ebc2a49a50a9bd41b53508a8586fd8d018e86aed135e8ac2cdd16bbf725e4f74f14ecfcf49789d3af8924b6d5dfa6b94dc6bf79a0785

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\component1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE149.tmp\mainlogo.jpg

Filesize
2KB

MD5
340939df60c1bcd5729091d3d0e6f8bf

SHA1
e158939ad3e042cf307232c560f7d49980f9c454

SHA256
5d86686f5ac6694676f435a5cece0a3d7d7027b45e30347a8a54049a65a81ab6

SHA512
b0047b39f8b3b585cde901552c42d3fd52d6788b0e3d0fbb8b3cfd009dac940edcd5c9c4a7afc2cdcad2113d8202e53d1d6e0a5cf3e94b6df9a2e9eb73056b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95B9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\RAVEndPointProtection-installer.exe

Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\0b04528b\98b2145f_d49fda01\rsLogger.DLL

Filesize
179KB

MD5
b279550f2557481ae48e257f0964ae29

SHA1
53bef04258321ca30a6d36a7d3523032e3087a3e

SHA256
13fe4a20114cdf8cd3bba42eeaabe8d49be0b03eec423f530c890463014ccaaa

SHA512
f603cbac1f55ad4de7a561a1d9c27e33e36de00f09a18ff956456afec958f3e777277db74f0b25c6467e765d39175aa4fcdd38e87a3d666b608d983acb9321cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\81faba6c\7d50125f_d49fda01\rsAtom.DLL

Filesize
158KB

MD5
875e26eb233dbf556ddb71f1c4d89bb6

SHA1
62b5816d65db3de8b8b253a37412c02e9f46b0f9

SHA256
e62ac7163d7d48504992cd284630c8f94115c3718d60340ad9bb7ee5dd115b35

SHA512
54fdc659157667df4272ac11048f239101cb12b39b2bf049ef552b4e0ce3998ff627bf763e75b5c69cc0d4ef116bfe9043c9a22f2d923dbedddacf397e621035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\8eb953fd\d814175f_d49fda01\rsServiceController.DLL

Filesize
174KB

MD5
d0779008ba2dc5aba2393f95435a6e8d

SHA1
14ccd0d7b6128cf11c58f15918b2598c5fefe503

SHA256
e74a387b85ee4346b983630b571d241749224d51b81b607f88f6f77559f9cb05

SHA512
931edd82977e9a58c6669287b38c1b782736574db88dad0cc6e0d722c6e810822b3cbe5689647a8a6f2b3692d0c348eb063e17abfa5580a66b17552c30176426

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\b6db465c\98b2145f_d49fda01\rsJSON.DLL

Filesize
219KB

MD5
d43100225a3f78936ca012047a215559

SHA1
c68013c5f929fe098a57870553c3204fd9617904

SHA256
cc5ea6c9c8a14c48a20715b6b3631cbf42f73b41b87d1fbb0462738ff80dc01a

SHA512
9633992a07ea61a9d7acd0723dbd715dbd384e01e268131df0534bcdfcd92f12e3decc76aa870ea4786314c0b939b41c5f9e591a18c4d9d0bad069f30acd833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg95BA.tmp\uninstall.ico

Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\slejajqy.exe

Filesize
1.9MB

MD5
63f1bf3baae52bdac39db88facabe33b

SHA1
94588230787b84282c41f4f2e696eacf0a4cd78a

SHA256
ec92444feab67c66e632f42abb581e53c8a2ebad4785256c1622287a45aab293

SHA512
b946ffa6bcaba672c583ed1c5df868244f44c39fbdb8255117e073c466cc7a9adc44124d122a9265d0c5bd460830e87d2a11f126c9b400ac42d1ee082ad2d037

Download Submit
C:\Users\Admin\Downloads\cockroach-on-desktop-1.1-installer.exe

Filesize
2.7MB

MD5
53f7174a188cd51357d29e1a5da336b0

SHA1
387498e1b70fedc0565940c4937cae4b5c5be5af

SHA256
836ca9917e55af02bfd216e3e32b8910590de6fe8571483e7cf1d84d0213f04b

SHA512
5eff2cbecc6291fd836f5a8d62d28db1ccdd714063025290e66370c055ffa8b8c2ca9765a2e6e222256f204701e8473028389f1785096f094794ac84cc8ac0f8

Download Submit
memory/644-2862-0x00000227D3770000-0x00000227D37A0000-memory.dmp

Filesize
192KB

Download
memory/644-175-0x00000227B8F30000-0x00000227B8F6A000-memory.dmp

Filesize
232KB

Download
memory/644-2363-0x00000227D36A0000-0x00000227D36F0000-memory.dmp

Filesize
320KB

Download
memory/644-2851-0x00000227D36F0000-0x00000227D372A000-memory.dmp

Filesize
232KB

Download
memory/644-183-0x00000227D3170000-0x00000227D31C8000-memory.dmp

Filesize
352KB

Download
memory/644-178-0x00000227D3020000-0x00000227D304A000-memory.dmp

Filesize
168KB

Download
memory/644-2887-0x00000227D38B0000-0x00000227D38DE000-memory.dmp

Filesize
184KB

Download
memory/644-169-0x00000227B8950000-0x00000227B89D8000-memory.dmp

Filesize
544KB

Download
memory/644-2874-0x00000227D37D0000-0x00000227D37FA000-memory.dmp

Filesize
168KB

Download
memory/644-173-0x00000227B8EA0000-0x00000227B8ED0000-memory.dmp

Filesize
192KB

Download
memory/644-171-0x00000227B8E60000-0x00000227B8EA0000-memory.dmp

Filesize
256KB

Download
memory/1212-33-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1212-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1212-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1488-20-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1488-1544-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1488-96-0x0000000002EC0000-0x0000000003000000-memory.dmp

Filesize
1.2MB

Download
memory/1488-34-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1488-30-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1488-29-0x0000000002EC0000-0x0000000003000000-memory.dmp

Filesize
1.2MB

Download
memory/1488-25-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1488-24-0x0000000002EC0000-0x0000000003000000-memory.dmp

Filesize
1.2MB

Download
memory/1488-19-0x0000000002EC0000-0x0000000003000000-memory.dmp

Filesize
1.2MB

Download
memory/1488-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2072-1243-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-1056-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-463-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-452-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-431-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-397-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-554-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-550-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-406-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-385-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-981-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1245-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-1261-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-1260-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1257-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1256-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1250-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-1249-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-1247-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-1255-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-1242-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-1241-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-1240-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-384-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-562-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-578-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-579-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-639-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-656-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-662-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-665-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-667-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-703-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-1030-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-714-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-719-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-778-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-784-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-792-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-796-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-802-0x00007FF637CB0000-0x00007FF637CC0000-memory.dmp

Filesize
64KB

Download
memory/2072-864-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-610-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-587-0x00007FF62A3E0000-0x00007FF62A3F0000-memory.dmp

Filesize
64KB

Download
memory/2072-480-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-448-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-382-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-491-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-494-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-513-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-525-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-541-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-544-0x00007FF5DD910000-0x00007FF5DD920000-memory.dmp

Filesize
64KB

Download
memory/2072-971-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/2072-356-0x00007FF640AA0000-0x00007FF640AB0000-memory.dmp

Filesize
64KB

Download
memory/2072-972-0x00007FF641EE0000-0x00007FF641EF0000-memory.dmp

Filesize
64KB

Download
memory/4072-2930-0x000002006CC00000-0x000002006CC3C000-memory.dmp

Filesize
240KB

Download
memory/4072-2929-0x00000200543A0000-0x00000200543B2000-memory.dmp

Filesize
72KB

Download
memory/4072-2916-0x0000020052640000-0x000002005266E000-memory.dmp

Filesize
184KB

Download
memory/4072-2915-0x0000020052640000-0x000002005266E000-memory.dmp

Filesize
184KB

Download
memory/4476-51-0x00000275AB1E0000-0x00000275AB1E8000-memory.dmp

Filesize
32KB

Download
memory/4476-52-0x00007FFC13A83000-0x00007FFC13A85000-memory.dmp

Filesize
8KB

Download
memory/4476-53-0x00000275C5BA0000-0x00000275C60C8000-memory.dmp

Filesize
5.2MB

Download
memory/5776-2954-0x0000014127590000-0x00000141278F6000-memory.dmp

Filesize
3.4MB

Download
memory/5776-2955-0x0000014127900000-0x0000014127A7C000-memory.dmp

Filesize
1.5MB

Download
memory/5776-2956-0x000001410EB20000-0x000001410EB3A000-memory.dmp

Filesize
104KB

Download
memory/5776-2957-0x0000014127250000-0x0000014127272000-memory.dmp

Filesize
136KB

Download