zgrat | hxxps://d1vdn3r1396bak[.]cloudfront[.]net/installer/103517162641006686/74786417

Analysis

max time kernel
28s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://d1vdn3r1396bak.cloudfront.net/installer/103517162641006686/74786417

Score

10^/10

zgrat bootkit discovery evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023e45-3700.dat	family_zgrat_v1
behavioral1/files/0x0007000000023e58-3696.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 9 IoCs

pid	Process
2244	CheatEngine75.tmp
4540	CheatEngine75.tmp
3604	prod0.exe
3636	saBSI.exe
208	avg_secure_browser_setup.exe
4648	CheatEngine75.exe
216	a1d242dk.exe
4556	CheatEngine75.tmp
4864	RAVEndPointProtection-installer.exe

Loads dropped DLL 9 IoCs

pid	Process
4540	CheatEngine75.tmp
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
216	a1d242dk.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5076	icacls.exe
5956	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 11 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Cheat Engine 7.5\d3dhook64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\dbghelp.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\libipt-32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\CSCompiler.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64-linux.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win32\dbghelp.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\d3dhook.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ceregreset.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\CEJVMTI.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\DotNetDataCollector64.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc32-32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc32-32-linux.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\gtutorial-i386.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\sqlite3.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\allochook-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\lua53-32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\libmikmod64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\libipt-64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\lua53-64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win32\sqlite3.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\CEPluginExample.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\winhook-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\symsrv.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\CheatEngine.chm	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\libmikmod32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-aarch64-linux.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-32-linux.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\CEJVMTI.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win32\symsrv.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\DotNetDataCollector32.exe	CheatEngine75.tmp

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1004	sc.exe
1088	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6040	4540	WerFault.exe	108
5440	4540	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Runs net.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	88	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4540	CheatEngine75.tmp
4556	CheatEngine75.tmp
4556	CheatEngine75.tmp
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe
208	avg_secure_browser_setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	prod0.exe
Token: SeDebugPrivilege	4864	RAVEndPointProtection-installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4540	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2244	5084	CheatEngine75.exe	106
PID 5084 wrote to memory of 2244	5084	CheatEngine75.exe	106
PID 5084 wrote to memory of 2244	5084	CheatEngine75.exe	106
PID 756 wrote to memory of 4540	756	CheatEngine75.exe	108
PID 756 wrote to memory of 4540	756	CheatEngine75.exe	108
PID 756 wrote to memory of 4540	756	CheatEngine75.exe	108
PID 4540 wrote to memory of 3604	4540	CheatEngine75.tmp	110
PID 4540 wrote to memory of 3604	4540	CheatEngine75.tmp	110
PID 4540 wrote to memory of 3636	4540	CheatEngine75.tmp	111
PID 4540 wrote to memory of 3636	4540	CheatEngine75.tmp	111
PID 4540 wrote to memory of 3636	4540	CheatEngine75.tmp	111
PID 4540 wrote to memory of 208	4540	CheatEngine75.tmp	112
PID 4540 wrote to memory of 208	4540	CheatEngine75.tmp	112
PID 4540 wrote to memory of 208	4540	CheatEngine75.tmp	112
PID 4540 wrote to memory of 4648	4540	CheatEngine75.tmp	113
PID 4540 wrote to memory of 4648	4540	CheatEngine75.tmp	113
PID 4540 wrote to memory of 4648	4540	CheatEngine75.tmp	113
PID 3604 wrote to memory of 216	3604	prod0.exe	114
PID 3604 wrote to memory of 216	3604	prod0.exe	114
PID 3604 wrote to memory of 216	3604	prod0.exe	114
PID 4648 wrote to memory of 4556	4648	CheatEngine75.exe	115
PID 4648 wrote to memory of 4556	4648	CheatEngine75.exe	115
PID 4648 wrote to memory of 4556	4648	CheatEngine75.exe	115
PID 4556 wrote to memory of 1832	4556	CheatEngine75.tmp	116
PID 4556 wrote to memory of 1832	4556	CheatEngine75.tmp	116
PID 216 wrote to memory of 4864	216	a1d242dk.exe	118
PID 216 wrote to memory of 4864	216	a1d242dk.exe	118
PID 1832 wrote to memory of 4860	1832	net.exe	119
PID 1832 wrote to memory of 4860	1832	net.exe	119
PID 4556 wrote to memory of 3516	4556	CheatEngine75.tmp	120
PID 4556 wrote to memory of 3516	4556	CheatEngine75.tmp	120
PID 3516 wrote to memory of 460	3516	net.exe	122
PID 3516 wrote to memory of 460	3516	net.exe	122
PID 4556 wrote to memory of 1004	4556	CheatEngine75.tmp	123
PID 4556 wrote to memory of 1004	4556	CheatEngine75.tmp	123
PID 4556 wrote to memory of 1088	4556	CheatEngine75.tmp	125
PID 4556 wrote to memory of 1088	4556	CheatEngine75.tmp	125

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://d1vdn3r1396bak.cloudfront.net/installer/103517162641006686/74786417
1⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4080,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4048,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:1
1⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5160,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:1
1⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5436,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
1⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5452,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
1⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6140,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5200,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:8
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6292,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1
1⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5104,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:8
1⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7064,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=7292 /prefetch:8
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7316,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:8
1⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=7072,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:8
1⤵
PID:2888

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x50c
1⤵
PID:408

C:\Users\Admin\Downloads\CheatEngine75.exe
"C:\Users\Admin\Downloads\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\is-CHIC1.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CHIC1.tmp\CheatEngine75.tmp" /SL5="$80068,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  PID:2244

C:\Users\Admin\Downloads\CheatEngine75.exe
"C:\Users\Admin\Downloads\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\is-9241F.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9241F.tmp\CheatEngine75.tmp" /SL5="$60208,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod0.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod0.exe" -ip:"dui=d2547453-e731-4fdf-8f92-95f955a44aca&dit=20240509032520&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=d2547453-e731-4fdf-8f92-95f955a44aca&dit=20240509032520&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=d2547453-e731-4fdf-8f92-95f955a44aca&dit=20240509032520&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\a1d242dk.exe
      "C:\Users\Admin\AppData\Local\Temp\a1d242dk.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\a1d242dk.exe" /silent
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
      - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        6⤵
        
        PID:3584
- - C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
    3⤵
    - Executes dropped EXE
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1_extract\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
      4⤵
      PID:5196
    - - C:\Program Files\McAfee\Temp1957982830\installer.exe
        
        "C:\Program Files\McAfee\Temp1957982830\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        
        PID:5492
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        6⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        
        PID:6308
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        6⤵
        
        PID:6660
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        6⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
        7⤵
        
        PID:5408
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
        6⤵
        
        PID:5876
- - C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod2_extract\avg_secure_browser_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod2_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dEDZfwmEGYrTfYRlDggvBuiYwzGf32cSh2255pj5r5EDMNCQv05pa0xtq60t43at6nAHe8afoB /make-default
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"
      4⤵
      PID:5612
    - - C:\Program Files (x86)\GUM6165.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUM6165.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"
        5⤵
        
        PID:5868
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        
        PID:5424
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:5308
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:4288
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:5220
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezAzNUZCMjFCLTE2RTUtNDAyRS05QkJCLUM4NzMzREM2NjNGMX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9InswMjBGNUNDRS1FMEE5LTQzQkQtQUNGNi0yNTI3MzREMUQ3OUF9IiB1c2VyaWRfZGF0ZT0iMjAyNDA1MDkiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDUwOSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntBQTE4NzFEOC0yNUYzLTRCODEtODk2NC0zQTI0RTg5OUQ1QkV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIzMCIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjUzMSIvPjwvYXBwPjwvcmVxdWVzdD4
        6⤵
        
        PID:6916
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9230&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{035FB21B-16E5-402E-9BBB-C8733DC663F1}" /silent
        6⤵
        
        PID:6708
- - C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\is-9B8RD.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9B8RD.tmp\CheatEngine75.tmp" /SL5="$102A8,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        6⤵
        
        PID:4860
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        6⤵
        
        PID:460
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        5⤵
        Launches sc.exe
        
        PID:1004
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        5⤵
        Launches sc.exe
        
        PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\is-ECUN6.tmp\_isetup\_setup64.tmp
        
        helper 105 0x45C
        5⤵
        
        PID:3964
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:5076
    - - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        5⤵
        
        PID:5292
    - - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        5⤵
        
        PID:5040
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:5956
- - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
    "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
    3⤵
    PID:5808
  - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
      "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
      4⤵
      PID:5280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1116
    3⤵
    - Program crash
    PID:6040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1116
    3⤵
    - Program crash
    PID:5440

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
PID:3652

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
PID:2564
- C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --system-level
  2⤵
  PID:4308
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\CR_5D91B.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\CR_5D91B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\CR_5D91B.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --system-level
    3⤵
    PID:6808
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\CR_5D91B.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{F17EBACF-27EA-4AD0-8669-D5812DAEB46B}\CR_5D91B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=123.0.24828.123 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff6e5d323d0,0x7ff6e5d323dc,0x7ff6e5d323e8
      4⤵
      PID:6496

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
PID:5608
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  PID:6892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:7068
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4540 -ip 4540
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4540 -ip 4540
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff8a5a9ceb8,0x7ff8a5a9cec4,0x7ff8a5a9ced0
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3008,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:2
  2⤵
  PID:6316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:3
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2012,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:6356
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4400,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:6716
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4400,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4684,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4772,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4888,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5496,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5488,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5676,i,15193968294766489442,14229788278862416635,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:6676

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:6876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe

Filesize
204KB

MD5
cbcdf56c8a2788ed761ad3178e2d6e9c

SHA1
bdee21667760bc0df3046d6073a05d779fdc82cb

SHA256
e9265a40e5ee5302e8e225ea39a67d452eaac20370f8b2828340ba079abbbfd3

SHA512
5f68e7dffdd3424e0eb2e5cd3d05f8b6ba497aab9408702505341b2c89f265ebb4f9177611d51b9a56629a564431421f3ecb8b25eb08fb2c54dfeddecb9e9f2e

Download Submit
C:\Program Files (x86)\GUM6165.tmp\@PaxHeader

Filesize
27B

MD5
fc8ee03b2a65f381e4245432d5fef60e

SHA1
d2b7d9be66c75ccf24fcb45a6d0dacedd8b6dd6f

SHA256
751a04263c2ebb889fdcd11045d6f3602690318ebaaa54f66e1332d76dde9ef4

SHA512
0837f2b22c9629990165c5e070e710a69ad4951b7fcfe28bd52354c4b8a7246672497b8aaf521a8773c7ec2a4249fc4318330948ab0d8db8c6c74da57b32f1c4

Download Submit
C:\Program Files\AVG\Browser\Application\123.0.24828.123\Installer\setup.exe

Filesize
3.4MB

MD5
b4fb7b4e93e5f564e953e5a225a711e5

SHA1
27dee69da6379e54fc94516eaee3cfb3a34fe240

SHA256
e93a3b3e4609c966fb8c8c5233a86e206a4924bae4f59289614f2f9ffed29a9b

SHA512
bcc82dfde782621d37e37e14794d3431c0990a2bd3869c09905597824b0b140a3c6bce89150acb7e465ab942a102c8ee5d618817c053afd3442ce5f878c1d163

Download Submit
C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll

Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll

Filesize
140KB

MD5
0daf9f07847cceb0f0760bf5d770b8c1

SHA1
992cc461f67acea58a866a78b6eefb0cbcc3aaa1

SHA256
a2ac2ba27b0ed9acc3f0ea1bef9909a59169bc2eb16c979ef8e736a784bf2fa4

SHA512
b4dda28721de88a372af39d4dfba6e612ce06cc443d6a6d636334865a9f8ca555591fb36d9829b54bc0fb27f486d4f216d50f68e1c2df067439fe8ebbf203b6a

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll

Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll

Filesize
146KB

MD5
0eaac872aadc457c87ee995bbf45a9c1

SHA1
5e9e9b98f40424ad5397fc73c13b882d75499d27

SHA256
6f505cc5973687bbda1c2d9ac8a635d333f57c12067c54da7453d9448ab40b8f

SHA512
164d1e6ef537d44ac4c0fd90d3c708843a74ac2e08fa2b3f0fdd4a180401210847e0f7bb8ec3056f5dc1d5a54d3239c59fb37914ce7742a4c0eb81578657d24b

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll

Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll

Filesize
136KB

MD5
61ba5199c4e601fa6340e46bef0dff2d

SHA1
7c1a51d6d75b001ba1acde2acb0919b939b392c3

SHA256
8783f06f7b123e16042bb0af91ff196b698d3cd2aa930e3ea97cfc553d9fc0f4

SHA512
8ce180a622a5788bb66c5f3a4abfde62c858e86962f29091e9c157753088ddc826c67c51ff26567bfe2b75737897f14e6bb17ec89f52b525f6577097f1647d31

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll

Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll

Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-JCAVN.tmp

Filesize
12.2MB

MD5
5be6a65f186cf219fa25bdd261616300

SHA1
b5d5ae2477653abd03b56d1c536c9a2a5c5f7487

SHA256
274e91a91a7a520f76c8e854dc42f96484af2d69277312d861071bde5a91991c

SHA512
69634d85f66127999ea4914a93b3b7c90bc8c8fab1b458cfa6f21ab0216d1dacc50976354f7f010bb31c5873cc2d2c30b4a715397fb0e9e01a5233c2521e7716

Download Submit
C:\Program Files\Cheat Engine 7.5\languages\language.ini

Filesize
283B

MD5
af5ed8f4fe5370516403ae39200f5a4f

SHA1
9299e9998a0605182683a58a5a6ab01a9b9bc037

SHA256
4aa4f0b75548d45c81d8e876e2db1c74bddfd64091f102706d729b50a7af53a5

SHA512
f070049a2fae3223861424e7fe79cbae6601c9bee6a56fadde4485ad3c597dc1f3687e720177ab28564a1faab52b6679e9315f74327d02aa1fb31e7b8233a80f

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\overlay.fx

Filesize
2KB

MD5
650c02fc9f949d14d62e32dd7a894f5e

SHA1
fa5399b01aadd9f1a4a5632f8632711c186ec0de

SHA256
c4d23db8effb359b4aa4d1e1e480486fe3a4586ce8243397a94250627ba4f8cc

SHA512
f2caaf604c271283fc7af3aa9674b9d647c4ac53dffca031dbf1220d3ed2e867943f5409a95f41c61d716879bed7c888735f43a068f1cc1452b4196d611cb76d

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll

Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll

Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
331KB

MD5
8556afbb1722951ddc64e7642ee7ac9c

SHA1
f25a52b068eb3898dc1d018fd481af000ac9cc7d

SHA256
325870bc55b57f0f018c6a572cddec8b339540a0b337ea5efd97014e8c00ad10

SHA512
57d3c271752f6cd44edb43c2d79e7188b57561678057f05bcb145f23e2729715645f3c520eef8106221d7a981bb0f65b80e51a92f86c1f0de11932a92147a962

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
79a3316d934da771d43a0eb38b43b411

SHA1
f4df6d0423d63f7e0792d1d55af6b36a94c7449a

SHA256
2a96c5474735e92836286f33218d8338591c15b3441faf8672d3b687411f01af

SHA512
b597cc7018ad0a9695c6ffeb3370e3c04e9d35d7090de176aa40531a6720e2bd0cb9f1ab1a8304ed17e0987982028a91b2d8d5cf3229a62c5d0fcd4ab1c6b700

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
347KB

MD5
b8f08b5a671b1d91bc615a1be333d037

SHA1
2d17004a8635d9c349b43aec7996384cc7b17a95

SHA256
c5f855c4e6f7aac4547f4dfae4ec03b1d3ec51b18c69ae94d3402b27a32b562c

SHA512
c0f75d936196b65fb2eea75de1d97b9cd6d9a6777553bbcd706e1c3a29248543cc6aa2f47b46142155482613f9106e84e5b8036c0fa46893600272043fc20335

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
c128d7b407d111298c6fd54b5d1d30dc

SHA1
f1b0a405660ddcef6a37155759f08b1bc50f27d3

SHA256
60bb746a55444c32b1dd73555e4ed4e3d21a792c818279d4952f302553393a9d

SHA512
17f4a4923166da9229bff98dacecb5d9824d435847c4d371d7eb441b6e836d36b92c187fba08666d3c26ce61eeeb7bd5ab675983d793ba9315c47d8d6ca8bce7

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
2KB

MD5
4207a9b208fab844d40649e7c338ad8f

SHA1
5910fef1c13e46f62ca14c0f7e23530a2b35c88a

SHA256
b0b45848ab06615ebed67800e75c02d02bfe13ea5bd0ca95f3f56ac6f36a27ac

SHA512
22e8ba16dbed4743fbecc96ce41f241af64534663eada51f042482ad6e3e940bddca52ca460a9e636fd5e20755cc83f0d244161cbc7b47c9bd8d3bf277c1cfb7

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

Filesize
17KB

MD5
7fa226087d65fa907c1c83b2d993c058

SHA1
e495a95dadafd4e1c79f6af0a2c74eb0cb9c24d4

SHA256
84f342ec856caa89b856aa53979b59884157f59326f371ffc0a9ff6d2eaf65ba

SHA512
b2cab37056f3b8dbcc675487f8f6166512deb952e93344b78833b2d469e72731f07dff9023f454cb0a3ef933bd5d3cfacbddfc134f7395ef08c614d979c951ac

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
5e930692ea5327b595b897fa8b835118

SHA1
c5f1c47a5ad7ce2be3fa949bc619fe9bd47d3ea2

SHA256
7a03aa81245ef573cac3237fa4183dda1872ecbe8ac8a55104af1586c46bb764

SHA512
46860485ef44fc8af3b2b82f3e38bb2d8720ecec6323685caf6509b0c72025591a1c7df9f4e23008123f95a29f74c2ff3e2916ab44ef3d1242e22b32d40b9c55

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
70ab32275327719e641a96f55e68c622

SHA1
79db84f1526512c373ba783e014474d4073a727d

SHA256
89d9afedb46c50c7eab401b34e24e1ce7d9b41ea3e3eb634231ccc0301d00d71

SHA512
22ae9a31871c14c42b8eb29363d1c1c58ed2a7c523849bad1970da4b51b72c049ca021d5f222fe8d33ca1a5f6b4b698a7acefcc98878e823bd90802ed717aa3c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
dec5b1d8ac254b2cc0c4c82826932630

SHA1
135414fa58f9938f88bf4c436beae3c466284c28

SHA256
ef7d2529aba17b570a62d09561fb4c20b3e6ed8738af0cbbd3887621ec5b905f

SHA512
b85fa65bd2c301c2ac0f547b3c2a646b45c606e22dc6f754116e8dd2be44263ea0549e5d7fbe9c496f64ecd04a8a049204c6dfe57496289f8a0dafaf38f6a64b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
9620b5e9a23d598ae90d1e8d63083cda

SHA1
12118ac4efce181bec30d472dbf114537e851a42

SHA256
06da32230175d44dfe7c235544dac41b2f72aa1e9f62dd20c2bf6e3241933f9e

SHA512
57016cf6efa0b54c97d393c17c19fa5c77edd2c3c403114c2805027a95784c43d7f507d5879c64403042c0b4878e980ffd6bab096d6510b6f385ee51b4a99dc7

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
afb0eb14fb29dc5c524817a0c57900b9

SHA1
bcc0aefd96038cc38a8d86f37c5f92c427be6c3b

SHA256
f81470fd5efb2dab8eee98e82056358aa8b8dd91f5b20f3fd39b8f292f12fcc7

SHA512
16683f7ba15963da95d9dea531a1af529cc1502d05103f3e306455db80b7fff6a4db8b454c51b98cdc08557a89464539535e5248b1888624823ba2a5e976e0f5

Download Submit
C:\ProgramData\McAfee\WebAdvisor\WATaskManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
7f62de116ef65d71c22626fc4f52932d

SHA1
bd63e442c9cdc9a47cce8a6452c8961f0ed46b04

SHA256
855bbb60d8577ca2c3f852aa06dd8b11a1ae5d08fa8a190f47fdf8b84d364f48

SHA512
1766aacc7ec6038714a2c5d880f4968cd44fffae1d6165dc024c50f91eceae637bea89a2e77fefabe72788fdff20e896bcf20013e637fd1571394d92a0f72277

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
7432613a76e129238e204298c37c9f6b

SHA1
5adf33c04ae4796771b29213d3fca67051e170de

SHA256
34f1134fc2bd45a5c2ecec9050cdcace35e347ebe3fb78f5f6b401b725ce7beb

SHA512
f7c987e9ab0c56ce594151443bfca09fca3ea331c6d0ab8dc848c62bb80536066143b12cb569a0c2710e7550b01d9cfdbf21e8c4e9e6b4d38094398e8d0836df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
7495bdcceeecfaa7f5f6f7930a24e42c

SHA1
fad10e1609f48fe1830fcda6d65cce73969eaa4d

SHA256
15a12c6405bb32205725c28850a8618051d5a11b2da43be3935a815379c99d80

SHA512
fc873c1cbd15e07acb2e40f28615f2165317af01f61305db71157df74961fa2e4542409361954b5ecc3491ae99e340ca430334e3b3a833e13cd0f5d9016b7bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
f2ed365e5050c6e07aabded932117b58

SHA1
757aecbe6f69698140ecb5f0bab58ff94a2b2a2b

SHA256
71008f0509dc3378cb92c613f127a1ec42089db3a35536d7c56d4368ee0403ec

SHA512
9eb007191d88d047c37a1ddb531e7daf35a46c69910a85dc4631b34ecb04bac49f1c18571ea4431ad045f6894edf774c0839fb2d4d8a8dd344c9170d52a38e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1d242dk.exe

Filesize
1.9MB

MD5
2639839f964156a059f10348fff41466

SHA1
d8bf2460471928addc4e8a1a7b6f8890e9315832

SHA256
57288eef7d4d2a0910dd0c23e72e2431539595b2930873e971fdbcf50748e293

SHA512
cb79088805106091f210ba5e3ebd2f615a1a17a166c2f67f36f8d39ac77aca503e0e724db2bf6c1d8d4b2aa626b59177c6f386c7168a63ccdb0af363f4c12dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod0.exe

Filesize
44KB

MD5
eaa29438a8b7d3035a4a63e83932f5d6

SHA1
52b5891d9ee08f04266bbb7f8ad9ea47c08302e5

SHA256
cbe1ce2ee1c01ee1d572c6f79bb00ee0dbf8bfe2cb02d49d4cdc06d32d8644df

SHA512
96e445ebfeb55037bee99934bec063e4c15a22eb0da6a352eda7a0d21988d4265f2d6fb1cc8a69ebedb33f9a7b97552db6b138149c8884ccc3f9adb03e5f92a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod2.zip

Filesize
5.7MB

MD5
6406abc4ee622f73e9e6cb618190af02

SHA1
2aa23362907ba1c48eca7f1a372c2933edbb7fa1

SHA256
fd83d239b00a44698959145449ebfcb8c52687327deac04455e77a710a3dfe1b

SHA512
dd8e43f8a8f6c6e491179240bdfefdf30002f3f2900b1a319b4251dfa9ca7b7f87ddf170ba868ab520f94de9cc7d1854e3bcfd439cad1e8b4223c7ee06d649f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\prod2_extract\avg_secure_browser_setup.exe

Filesize
5.8MB

MD5
591059d6711881a4b12ad5f74d5781bf

SHA1
33362f43eaf8ad42fd6041d9b08091877fd2efba

SHA256
99e8de20a35a362c2a61c0b9e48fe8eb8fc1df452134e7b6390211ab19121a65

SHA512
6280064a79ca36df725483e3269bc1e729e67716255f18af542531d7824a5d76b38a7dcefca048022c861ffcbd0563028d39310f987076f6a5da6c7898c1984c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8DJ9D.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9B8RD.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CHIC1.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
14e34c5e0e3c320b904b9500e8fa96cf

SHA1
47cf88e6ddc1683135194b9d8b1cc32c78277f5e

SHA256
7398bd01e78df0d69169402f7fecf781c23f61127ba68290d146582ebadbf2ef

SHA512
6d99202dafd3209622e6fa217407bccd0b4157550d873bff36f06a279c499c9e98cb01d235c337d76d86c9e3c369d89712450fe1353eb18b2b7c108abd67ad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ECUN6.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\RAVEndPointProtection-installer.exe

Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\9aefb6ff\155a05a5_c0a1da01\rsJSON.DLL

Filesize
220KB

MD5
bd772c48f94ad1012dc608a4b7b55ce1

SHA1
4593870deb85c3ea9d54f1f260e2ab96effb6ee1

SHA256
59733e01120fa4d5cb1e765babf8fefc15d98f7d484cb1902e0d07c4f3c0dcca

SHA512
534b4005c4d7647a42da6489a6c6852d95ef0156d0f76bc76b5c6765e035fa86a46e2ce823962b06b4f74c74623155302974d0dc0cdac7fbfb00fbc3579bc286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl47E3.tmp\uninstall.ico

Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\AVGBrowserUpdateSetup.exe

Filesize
1.6MB

MD5
9750ea6c750629d2ca971ab1c074dc9d

SHA1
7df3d1615bec8f5da86a548f45f139739bde286b

SHA256
cd1c5c7635d7e4e56287f87588dea791cf52b8d49ae599b60efb1b4c3567bc9c

SHA512
2ecbe819085bb9903a1a1fb6c796ad3b51617dd1fd03234c86e7d830b32a11fbcbff6cdc0191180d368497de2102319b0f56bfd5d8ac06d4f96585164801a04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\CR.History.tmp

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\CR.History.tmp

Filesize
192KB

MD5
92972f2c1f82b219ca5f995f840414f7

SHA1
fe397d9d2ae9652e21ffb0611912cd1d7d020003

SHA256
2ec52b71c8e846d1b170d6f402d4353258a8fb0acf069ffcb874859ff9c31819

SHA512
d7d337d60f5243be0edb344f1e2dd62001e002cfd9907fe3df35eafa66d7e15b112f9f2bdd2a5bd45b6a2c4622fec69f16ded66c689f3113a891fe6198c76f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\FF.places.tmp

Filesize
5.0MB

MD5
da73e58c9a7d48d2644a2d0cd044943a

SHA1
3b278930bd081c09c87252f38433d7f929c13bbe

SHA256
3113b5d1f943800cb0c7f98c90ec4d248f7077602011c73bb2bda8cdc4a6f891

SHA512
8baeca30e6e624d45ca29ad8f374a156ca09fd104429588e8b356a73de8f9a48a40be14b18a26c4de0fb377ac7c46d2dec4d3c1546d84ef7102c8adf5db3159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
bd94620c8a3496f0922d7a443c750047

SHA1
23c4cb2b4d5f5256e76e54969e7e352263abf057

SHA256
c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644

SHA512
954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\Midex.dll

Filesize
126KB

MD5
581c4a0b8de60868b89074fe94eb27b9

SHA1
70b8bdfddb08164f9d52033305d535b7db2599f6

SHA256
b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd

SHA512
94290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\StdUtils.dll

Filesize
195KB

MD5
7602b88d488e54b717a7086605cd6d8d

SHA1
c01200d911e744bdffa7f31b3c23068971494485

SHA256
2640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11

SHA512
a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\jsis.dll

Filesize
127KB

MD5
4b27df9758c01833e92c51c24ce9e1d5

SHA1
c3e227564de6808e542d2a91bbc70653cf88d040

SHA256
d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb

SHA512
666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\nsJSON.dll

Filesize
36KB

MD5
ddb56a646aea54615b29ce7df8cd31b8

SHA1
0ea1a1528faafd930ddceb226d9deaf4fa53c8b2

SHA256
07e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069

SHA512
5d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv4737.tmp\thirdparty.dll

Filesize
93KB

MD5
070335e8e52a288bdb45db1c840d446b

SHA1
9db1be3d0ab572c5e969fea8d38a217b4d23cab2

SHA256
c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc

SHA512
6f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw47D3.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/756-3070-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/756-48-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/756-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/756-8-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2244-7-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2244-39-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2244-2546-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3604-70-0x000001AD74590000-0x000001AD74AB8000-memory.dmp

Filesize
5.2MB

Download
memory/3604-69-0x000001AD59C50000-0x000001AD59C58000-memory.dmp

Filesize
32KB

Download
memory/4540-47-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4540-43-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4540-3047-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4540-49-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4540-14-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4540-33-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4540-37-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4540-1589-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4556-1399-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4648-1400-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4648-141-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4864-234-0x000001AAB52C0000-0x000001AAB5300000-memory.dmp

Filesize
256KB

Download
memory/4864-3707-0x000001AAD07D0000-0x000001AAD0826000-memory.dmp

Filesize
344KB

Download
memory/4864-5336-0x000001AAD0870000-0x000001AAD08AA000-memory.dmp

Filesize
232KB

Download
memory/4864-236-0x000001AAB5300000-0x000001AAB5330000-memory.dmp

Filesize
192KB

Download
memory/4864-220-0x000001AAB4E10000-0x000001AAB4E98000-memory.dmp

Filesize
544KB

Download
memory/4864-239-0x000001AAB6C40000-0x000001AAB6C7A000-memory.dmp

Filesize
232KB

Download
memory/4864-266-0x000001AAD0330000-0x000001AAD035A000-memory.dmp

Filesize
168KB

Download
memory/4864-306-0x000001AAD0BC0000-0x000001AAD0C18000-memory.dmp

Filesize
352KB

Download
memory/5084-38-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5084-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5084-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5492-1495-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1601-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1599-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1565-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1543-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1519-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1516-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1508-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1493-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1468-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1464-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1438-0x00007FF6872C0000-0x00007FF6872D0000-memory.dmp

Filesize
64KB

Download
memory/5492-1433-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1408-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1407-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1405-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-2268-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-2270-0x00007FF6EA450000-0x00007FF6EA460000-memory.dmp

Filesize
64KB

Download
memory/5492-2269-0x00007FF6EA450000-0x00007FF6EA460000-memory.dmp

Filesize
64KB

Download
memory/5492-1613-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1629-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1638-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1642-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1650-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1686-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1695-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1715-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1717-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1816-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1819-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1831-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1838-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1842-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1988-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1844-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1885-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1725-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1773-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1698-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1632-0x00007FF6D3D90000-0x00007FF6D3DA0000-memory.dmp

Filesize
64KB

Download
memory/5492-1419-0x00007FF6EB890000-0x00007FF6EB8A0000-memory.dmp

Filesize
64KB

Download
memory/5492-1499-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1546-0x00007FF6E1660000-0x00007FF6E1670000-memory.dmp

Filesize
64KB

Download
memory/5492-1401-0x00007FF6EA450000-0x00007FF6EA460000-memory.dmp

Filesize
64KB

Download
memory/5492-1392-0x00007FF6EA450000-0x00007FF6EA460000-memory.dmp

Filesize
64KB

Download