phorphiex | fa8dbfb40bb6a7875b6e2a0cf227e6ccef6ee0e2cc2a69933977a598184360b2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Size

1.2MB
MD5

406a3a86c943033b2d6c31b7d35f7f43
SHA1

cb033b8491f28e3dd14ab94e1a51141c3f6a7774
SHA256

fa8dbfb40bb6a7875b6e2a0cf227e6ccef6ee0e2cc2a69933977a598184360b2
SHA512

ff8552701a083e7c929dba4c03b12fef4dc772935c615a259833639622faf536688f788422b61531257c2a7bb7abe0e500fc7b620b446af7a7993570718b1d04
SSDEEP

24576:gduISHkczHGXR4IKsxo+MbLI6GpwDuk0zex9kr5NIhixZIQnyDqUSQ0gGtIQt:gVcghXIOpwDuk0zejkMhixaYdC0gGtjt

Score

10^/10

phorphiex discovery evasion loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://5.42.96.117/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
plo7udsa2s
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

syslmgrsvc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syslmgrsvc.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\710429082.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

E128.exe710429082.exeinstaller.exesyslmgrsvc.exeinstaller.exeServiceHost.exeUIHost.exe299676511.exeupdater.exe216011948.exeWindows Security Upgrade Service.exe3076425725.exe

pid	process
2236	E128.exe
3732	710429082.exe
1512	installer.exe
2684	syslmgrsvc.exe
3204	installer.exe
5936	ServiceHost.exe
5604	UIHost.exe
1900	299676511.exe
3660	updater.exe
1064	216011948.exe
1028	Windows Security Upgrade Service.exe
5192	3076425725.exe

Loads dropped DLL 14 IoCs

Processes:

installer.exeregsvr32.exeregsvr32.exeregsvr32.exeServiceHost.exeregsvr32.exeUIHost.exe

pid	process
3204	installer.exe
5784	regsvr32.exe
5348	regsvr32.exe
6016	regsvr32.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
1676	regsvr32.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5604	UIHost.exe
5604	UIHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

710429082.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	710429082.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeServiceHost.exeinstaller.exe

description	ioc	process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\browserhost.exe	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-increase.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticsmanager.dll	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\data_items.json	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-checklist.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticseventhandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\chrome_extension_push_handler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ui-sstoast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_tooltip_2.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-de-DE.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\transport_aws_apigateway_v1.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-common.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\Temp2325710367\jslang\eula-zh-TW.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-sv-SE.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\registry.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast-h.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_search\edge_search_ext_coachmark.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\baseaffidlookup.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dictionary.json	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp2325710367\jslang\eula-ko-KR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\rules.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp2325710367\uihost.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\wataskmanager.dll	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\isbissecuresearch.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ext-install-toast.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\survey.js	installer.exe
File created	C:\Program Files\McAfee\Temp2325710367\jslang\wa-res-install-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-fr-CA.js	installer.exe

Drops file in Windows directory 2 IoCs

Processes:

710429082.exe

description ioc process

File created C:\Windows\syslmgrsvc.exe 710429082.exe
File opened for modification C:\Windows\syslmgrsvc.exe 710429082.exe

description	ioc	process
File created	C:\Windows\syslmgrsvc.exe	710429082.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	710429082.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ServiceHost.exeupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe

Modifies registry class 30 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exeServiceHost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exeServiceHost.exeUIHost.exe

pid	process
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5936	ServiceHost.exe
5936	ServiceHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe
5604	UIHost.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exeE128.exe710429082.exeinstaller.exeinstaller.exeregsvr32.exeregsvr32.exeServiceHost.exesyslmgrsvc.exe216011948.exe

description	pid	process	target process
PID 4588 wrote to memory of 2236	4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	E128.exe
PID 4588 wrote to memory of 2236	4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	E128.exe
PID 4588 wrote to memory of 2236	4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	E128.exe
PID 2236 wrote to memory of 3732	2236	E128.exe	710429082.exe
PID 2236 wrote to memory of 3732	2236	E128.exe	710429082.exe
PID 2236 wrote to memory of 3732	2236	E128.exe	710429082.exe
PID 4588 wrote to memory of 1512	4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	installer.exe
PID 4588 wrote to memory of 1512	4588	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	installer.exe
PID 3732 wrote to memory of 2684	3732	710429082.exe	syslmgrsvc.exe
PID 3732 wrote to memory of 2684	3732	710429082.exe	syslmgrsvc.exe
PID 3732 wrote to memory of 2684	3732	710429082.exe	syslmgrsvc.exe
PID 1512 wrote to memory of 3204	1512	installer.exe	installer.exe
PID 1512 wrote to memory of 3204	1512	installer.exe	installer.exe
PID 3204 wrote to memory of 5076	3204	installer.exe	regsvr32.exe
PID 3204 wrote to memory of 5076	3204	installer.exe	regsvr32.exe
PID 5076 wrote to memory of 5784	5076	regsvr32.exe	regsvr32.exe
PID 5076 wrote to memory of 5784	5076	regsvr32.exe	regsvr32.exe
PID 5076 wrote to memory of 5784	5076	regsvr32.exe	regsvr32.exe
PID 3204 wrote to memory of 5348	3204	installer.exe	Conhost.exe
PID 3204 wrote to memory of 5348	3204	installer.exe	Conhost.exe
PID 3204 wrote to memory of 5912	3204	installer.exe	regsvr32.exe
PID 3204 wrote to memory of 5912	3204	installer.exe	regsvr32.exe
PID 5912 wrote to memory of 6016	5912	regsvr32.exe	regsvr32.exe
PID 5912 wrote to memory of 6016	5912	regsvr32.exe	regsvr32.exe
PID 5912 wrote to memory of 6016	5912	regsvr32.exe	regsvr32.exe
PID 3204 wrote to memory of 1676	3204	installer.exe	regsvr32.exe
PID 3204 wrote to memory of 1676	3204	installer.exe	regsvr32.exe
PID 5936 wrote to memory of 5604	5936	ServiceHost.exe	UIHost.exe
PID 5936 wrote to memory of 5604	5936	ServiceHost.exe	UIHost.exe
PID 5936 wrote to memory of 1788	5936	ServiceHost.exe	cmd.exe
PID 5936 wrote to memory of 1788	5936	ServiceHost.exe	cmd.exe
PID 2684 wrote to memory of 1900	2684	syslmgrsvc.exe	299676511.exe
PID 2684 wrote to memory of 1900	2684	syslmgrsvc.exe	299676511.exe
PID 2684 wrote to memory of 1900	2684	syslmgrsvc.exe	299676511.exe
PID 5936 wrote to memory of 3660	5936	ServiceHost.exe	updater.exe
PID 5936 wrote to memory of 3660	5936	ServiceHost.exe	updater.exe
PID 5936 wrote to memory of 5280	5936	ServiceHost.exe	cmd.exe
PID 5936 wrote to memory of 5280	5936	ServiceHost.exe	cmd.exe
PID 2684 wrote to memory of 1064	2684	syslmgrsvc.exe	216011948.exe
PID 2684 wrote to memory of 1064	2684	syslmgrsvc.exe	216011948.exe
PID 2684 wrote to memory of 1064	2684	syslmgrsvc.exe	216011948.exe
PID 1064 wrote to memory of 1028	1064	216011948.exe	Windows Security Upgrade Service.exe
PID 1064 wrote to memory of 1028	1064	216011948.exe	Windows Security Upgrade Service.exe
PID 1064 wrote to memory of 1028	1064	216011948.exe	Windows Security Upgrade Service.exe
PID 2684 wrote to memory of 5192	2684	syslmgrsvc.exe	3076425725.exe
PID 2684 wrote to memory of 5192	2684	syslmgrsvc.exe	3076425725.exe
PID 2684 wrote to memory of 5192	2684	syslmgrsvc.exe	3076425725.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\E128.exe
"C:\Users\Admin\AppData\Local\Temp\E128.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\710429082.exe
C:\Users\Admin\AppData\Local\Temp\710429082.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\syslmgrsvc.exe
C:\Windows\syslmgrsvc.exe
4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\299676511.exe
C:\Users\Admin\AppData\Local\Temp\299676511.exe
5⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Local\Temp\216011948.exe
C:\Users\Admin\AppData\Local\Temp\216011948.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
6⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\3076425725.exe
C:\Users\Admin\AppData\Local\Temp\3076425725.exe
5⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\\installer.exe" /s /upgrade
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files\McAfee\Temp2325710367\installer.exe
"C:\Program Files\McAfee\Temp2325710367\installer.exe" /s /upgrade
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:5784

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5348

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
4⤵
- Suspicious use of WriteProcessMemory
PID:5912

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:6016

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:1744

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5936

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:1788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5348

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp2325710367\analyticsmanager.cab
Filesize
1.8MB

MD5
dc4e5a62f9c5b04c8d3d20db961371f5

SHA1
12fb6ac6d3722a8bce60f77ca808e5959de95e02

SHA256
f43f800d8d85d7c5af3bbfa5b2ea13d183be8e8ad57f7a7fa4475bf603a693e9

SHA512
c684d5c877045855df3ceffa525dffbc53d55b3559d1dca19e10c586f2db7085cb395a6f933eccf8f2248e6338dcbad294b54014f1befb6b2534879413aa3531

Download Submit
C:\Program Files\McAfee\Temp2325710367\analyticstelemetry.cab
Filesize
58KB

MD5
1d8f7c95a72a600b371e819b678be0f0

SHA1
7d544961dee72463f43afe8fdadd7a5bbb14a75f

SHA256
27f810a794170a97e430dc29a26169dec6bcea373ee000785ac089cac058770a

SHA512
95987dd1f3e2de393c9f5c201b89fe4a24d6581d7a036ad5124d5d9ccb9df76ada28dff504f87bb6abcb1b1d7a4832fb57e4204e6e5c9a882bfc823e7f3189a3

Download Submit
C:\Program Files\McAfee\Temp2325710367\browserhost.cab
Filesize
1.2MB

MD5
ef297ee03d8ea0240a1821bcaccc1bb1

SHA1
01825ee74143242054e399d7dcd89c1e2edb692e

SHA256
b0004747c1da4ee30f93065bddda1e471338f07024d06e912cdf281333f7a0f3

SHA512
ac13a462e29b015990e2511eec9d8a3b6e224666b815a746294039296832a2699ea0f666b1a41efbe84fe145f213df297624ca69fec5f41533c247c289d3cb8d

Download Submit
C:\Program Files\McAfee\Temp2325710367\browserplugin.cab
Filesize
4.9MB

MD5
3afc7a2ed10d7804ee588a669a154ab2

SHA1
b5cc1d0eb51e389fd5c49a0ff354ca576e402f7d

SHA256
f7f7c0fabe6d53a3e09aeb38648302523cdae1efb427205661c5567257156313

SHA512
b3d4770cb4f9c7ca98f2d655dc7bfeac06e49cabf6934a043c92e9b8959994cae55006190e88f9684dd747e26a060de80c38b922a15a0f03d0325f2915f23c34

Download Submit
C:\Program Files\McAfee\Temp2325710367\downloadscan.cab
Filesize
2.2MB

MD5
830597a39c23a1d6234ef1eb5f9476e2

SHA1
ebb05cfb80da8a6d95b4123833f6b7f0c9230328

SHA256
dce5dc71a095b82388b5945ddbdfed67a25686df0e89a3ef64681eb6a85743da

SHA512
7aa363ffbb13cbf35db4da3ca5c56588cab5737b8eacea273ba0f94c7014c849f0f080b6fdfa7a72d4981af6f4fc3aec9c5b173e0a744c9b28cd597b8c7784ed

Download Submit
C:\Program Files\McAfee\Temp2325710367\eventmanager.cab
Filesize
1.5MB

MD5
4d640a7698ce8a63be145717d1384bb7

SHA1
2aba5a5d24b66cb49da317311b8a531f993a170f

SHA256
de0b3de2af79a643e4b7712563a486786f470574792ab2e655aeeb20686ac116

SHA512
f268c6cf2c638ca16aafa26c2da8cf7822c0ff2415d56df31ea91a2d79380012ef388e7a67be508c4f5f5a2f6d54e3c4ca3ee26ee7c4aeb576c69fffc49be25b

Download Submit
C:\Program Files\McAfee\Temp2325710367\installer.exe
Filesize
2.9MB

MD5
b2b02a72e98408c9e0ebd5036bd7a092

SHA1
6d95b41ee0b8d6445e8d52048b4013afaf78109c

SHA256
b2c1ad8af3439bc7458130400bd213dd3db5aee8f49e295027c97b11dbe6bf58

SHA512
b74afa38d91f41b0ffd445999905d6a2f2a88bd796b0ced6c55db10de62c7ee468cc27e94f701bca59cfa6819b22869ce33193446cec0db69eccec1dfe85654f

Download Submit
C:\Program Files\McAfee\Temp2325710367\l10n.cab
Filesize
274KB

MD5
5ccc4c0645e5c35756c7a2e8bd6368f1

SHA1
8fb2662037c528993ea3ed80c6384f7b2cfafbff

SHA256
3e3df2de1e9122e6f0c556e1fd557829a6f05c1d95e56ebfe7f25865825157c7

SHA512
63da51cf8beb96f7fa3d27bd62e6655870c8e193809848450ccdd36dd28765e240279af744a54c586431e28cc02312c00ba439a205fe8725059927a3a316157e

Download Submit
C:\Program Files\McAfee\Temp2325710367\logicmodule.cab
Filesize
1.5MB

MD5
9501b1366feb857135e5d252618c1eee

SHA1
75c2463c0414bd7a446fae59818b5e09079f1bf0

SHA256
2d0ae00abb55e00f80a39a155272839d315f2c874ce597c3b2c49f89e8a34321

SHA512
05ddf40cc35a4d087033e9fa60c61e783e254d1d7f826078588a275502ea5f0ad68788213f73e8281262facaabbc80f613215d2a1f876e89948b8835cd0a19f9

Download Submit
C:\Program Files\McAfee\Temp2325710367\logicscripts.cab
Filesize
57KB

MD5
3b9b80964bbfecac64f133b8969a7afc

SHA1
3bcd2415169b348bbc88b23285e71ac898c7c617

SHA256
1883bb949ed1f2f180a418b06745168a7123b378339f6bfccaae7a1acbdbfbf6

SHA512
8ca928177f69b5238639c5e11dbfdc02fd1d2bd46e3ff72c67f24965cb754c16ff72af730a2e31ccf95390fd41e03c354353bbde68711a7f76fc4b38681136fa

Download Submit
C:\Program Files\McAfee\Temp2325710367\lookupmanager.cab
Filesize
985KB

MD5
ccd008b192ef72a73b1cde8e8da62d9c

SHA1
e907b1f670e0336fdc5085e30447b3accd932a3d

SHA256
7b6edb3ff653a4e35d46b7df1d38758bdf818de7c11b58960933aa60d0b9906c

SHA512
089c1ff9947ae2add2700580ca9481bf4dee7b258431bf8d25efb4fe8682ddca4f85956c3037919888c959a9a823889959dfce1f9a1b84938da5359dbbf39aba

Download Submit
C:\Program Files\McAfee\Temp2325710367\mfw-mwb.cab
Filesize
31KB

MD5
1753f1f1a623519d38631a1ff7237fb2

SHA1
b3f2e94372d3bdbde8c99593f68d93fd224999ff

SHA256
83f3e39419cc39af3b448b12ce9223b9f1ab344d5fce9c0bddb8553ef8058cd4

SHA512
34a62b1c61ec80c07ef9df669d7de77bd671b801289f8bb2739f57f989281e96513489a90e9a5872ef949ffb559b2036e9ef4afb4d6066921075b0d71ec66bc4

Download Submit
C:\Program Files\McAfee\Temp2325710367\mfw-nps.cab
Filesize
33KB

MD5
006acd223a6f124b6d18dc54e518027d

SHA1
cad740d4f3228ddb9518a0baad6c75dd5765d88b

SHA256
22ffacd39ac79e89a2b90c4e7a4a7c7cf6d9c2e08e8e3821217770a727278b45

SHA512
8a21c1cdb957c1524122e992af6f6919ee915a8602fb63195fe3cf77984cdccbcffa79dea64ff87a8306d88b2bf79c4d18541468f5bfbcadcefb082e6db946b1

Download Submit
C:\Program Files\McAfee\Temp2325710367\mfw-webadvisor.cab
Filesize
902KB

MD5
b180379055383f30732d39eb0269c79b

SHA1
050de5a6a4fd8297e31259f0e99343648d798a5d

SHA256
e53a3fe148a06433db5f6b1c880a47836d7a55cabcc96eeecc1ac82df95f8c90

SHA512
f8d60ab6c6f266d48cf828ccae7d0b54381e49e8ebe5cef6ef5a74a7158873627f378d7f6fdee6e55ccf516cde1876b442330723590454fd0982315c9755f351

Download Submit
C:\Program Files\McAfee\Temp2325710367\mfw.cab
Filesize
310KB

MD5
6da354da78b5a7c52be22572eb5efc55

SHA1
791b010349c7397157a97106b7336f008bcd5eff

SHA256
638278c1247e614fcdcc34892738a8e43f39c0d8b44848b4debf9021e4888903

SHA512
53aac6eae168a28be0ce4181a21633db6b0a64e41673ffb8c0620d901cea59a4bc59476be85da37834ba2fc61019a0e7eb82bd0a4d98da9e3b42a0cfc3924c7f

Download Submit
C:\Program Files\McAfee\Temp2325710367\resourcedll.cab
Filesize
50KB

MD5
08b4e5d3f3b19bf35be7e71f107c5e18

SHA1
64672efa144601751bdcd50f217b15c767a15dfb

SHA256
f39012b54ba8ab45afeb81257fee103d8e96f74eee8abfdad1156dce80f19254

SHA512
cb28690c7cf4ab22e849a8f3b3fc3e2dddb971f0e51f32516dc6461acdfe03e5b52a9694fb37210a41aa6d26fd61a31478f458fc0b3c23a43aae0c14ba157536

Download Submit
C:\Program Files\McAfee\Temp2325710367\servicehost.cab
Filesize
317KB

MD5
d2ac362ff38fea03b7b06b8ec47cbed0

SHA1
1dfc1d653c753fa0cf03f7277176ff539475d87c

SHA256
88a6f34ca571ecbcefdb56ca59d1772cc4db96856a67a3f4b00c4f4841919508

SHA512
0dc34db6b73a58b10271f273e0cd4da2cb0cd76895debef5e7d7322af4624049fd49adf650e3346e18e32133f28393f8b5c2b67304d2bc7d88becf9bce47c90c

Download Submit
C:\Program Files\McAfee\Temp2325710367\settingmanager.cab
Filesize
788KB

MD5
c0c685dd96b3f9a94a10197e4dfcc851

SHA1
b8745c84e5a573b7a5349001213229d704579719

SHA256
6ed8c980565ef3f3a091e4a8cf314dddca86e38465b62450a9c6ab153811c8e2

SHA512
03e1d8835b2845d529ee54487b8fe2abe63c82f28697bdd1115e2f7c40b24c0df8cca93e6b8d58b08e52bb4082f0131940917204ee552c85565ac7b515fbc492

Download Submit
C:\Program Files\McAfee\Temp2325710367\taskmanager.cab
Filesize
1.2MB

MD5
8cf6c31c071ee0b2d40bd3b573412bb2

SHA1
d35907dc3c0a3dab95e9283ed240f92d9447eaa8

SHA256
ddccc80534f3a777be411a85e123a1e9e5a027a667099de9eb8079012b15c11d

SHA512
5b986dfceead00dd4f6feaf1d0c38e20f15148f5e57b1c13647aa788695f4ec082a1838b99c6d104359011bc2546c5ed10e6d3aa9f5bc4ebad5c2776aa11da56

Download Submit
C:\Program Files\McAfee\Temp2325710367\telemetry.cab
Filesize
90KB

MD5
93d7bcc823aff1fcb98f1a913dadea1f

SHA1
01256549663cec9d6eb7e51d1d976111090f829f

SHA256
bf80c0e6f1b2ed8e7f2d72d8f4fda1c6fdb35f60aa75914e8b4867175b981759

SHA512
cc428ad9705140631a527968c5bef77acc00ed927a13a5433360b6444f4d492514d89d9bb5b68244cfeac8c1757f3c8ed95b0421b404bc3653903d0f6ac7100d

Download Submit
C:\Program Files\McAfee\Temp2325710367\uihost.cab
Filesize
312KB

MD5
90a174f59ac31acafd2d4df00a661ec4

SHA1
483c58d8a0a4164e21cd503a805c42d95e62bc85

SHA256
96143a282e06a937a511619cabba7cef75b236b1e0c3e110b41efba47e9f2f9d

SHA512
77d389628ee12c1c55f591dac3d0a1fc34ab684dbd3302df4796d35a1bbd466d6518dcd1fd48b1ef07f2930e7b81bb2b04ad70b7d6254fa3df2e0b981e2d0f05

Download Submit
C:\Program Files\McAfee\Temp2325710367\uimanager.cab
Filesize
1.7MB

MD5
96e263c704eb690d769c95b1c34d03ea

SHA1
6902e7c2f81c238a1a19994a2f22231204bac752

SHA256
d1ccfa367f07a6e271ed67f1f3f8f3936edfb6274d66a80086e9cdbb47931e0c

SHA512
a2e83fbe91c04305bce0eed423c8e0831e4d98c07224aaf59d8feb961f54eced4e569b9bccc751af718e263945a2cde0f3b3294a1a4dd61e6a437a1a7304b80a

Download Submit
C:\Program Files\McAfee\Temp2325710367\uninstaller.cab
Filesize
970KB

MD5
2319c2aa297f5fcdd8956458f94d1a1e

SHA1
e0c9a5398274bdbe17163200df8b9200543b4de5

SHA256
adc108549827342ae93ed7163a61cca1296824b3be54e266dc5c779f8a7a87c0

SHA512
6778e179ee471c613947b729f6dec579f6b50640b46336b97bab5ee468371b681885058af4cabf6842294e868a03d72fd6e10b76f181f2defb9e516cfd38716c

Download Submit
C:\Program Files\McAfee\Temp2325710367\updater.cab
Filesize
951KB

MD5
7b483cbd80605019bc216f9babdee9cf

SHA1
ef89717ff63335bb0689b7aea4acbe512d291cb6

SHA256
4939f02ac5bef2bf850dfde34902dc84101125b0ac3cb0ed71b2dcb9459b833e

SHA512
924c0732fbfbe01df6055973e2005dc084314edc16867b32d9f7356ad24ad3756cc2bd8ffbbd5b50b5553edf285a92c51c33b0682557e66227e89b95d04d3edf

Download Submit
C:\Program Files\McAfee\Temp2325710367\wataskmanager.cab
Filesize
2.8MB

MD5
a4dfa367963fd3e46210d3bd0b4102b1

SHA1
9dd28c37af5b86c1f20e52933cf9ea47dfe1fc60

SHA256
f4670f2db3e33f2130b636af2faa495a52532ec304a58014ae2128242aea5047

SHA512
339ca24709b5577fd3b20170c6b6e75d80f19408b67fb3188b5b9e1de7a67a5ff2f5eb8002519ba9ca8609aee0b30858fca02cc455c5f4db15f493a3f3ff8f6a

Download Submit
C:\Program Files\McAfee\Temp2325710367\webadvisor.cab
Filesize
22KB

MD5
354ba45bc1f16f0f644723e2660e3ca0

SHA1
cdab1b7a3ce71eb13eec62b4cadc1ea5fee6da45

SHA256
b436cf419f88f409a7d27b43b5932c6e381c5b6a93a323b64051cd7c5ef59ce5

SHA512
e381fd66dbdc9b5d839b95556d0085d550c2a00ba1fb0430d41ca4bfd14c7dac21eaca57ea393ad7e953940300deb14679e9db7a0fd54f9fe0729a4be009e456

Download Submit
C:\Program Files\McAfee\Temp2325710367\wssdep.cab
Filesize
586KB

MD5
784f7df7907c8bbb77cfdec26176b715

SHA1
cf5792a14c9311e2b98a3122d59178ff536e4c2d

SHA256
4d49923aaaadf6a7dd4f9c093dbb6878a00363a3e0a18e5bcc54e61175aa8d80

SHA512
4e3edadf6939fc8a6fd1acef72460d782397ef7a6e7abce7ca1a17b6e3e7bdda54398091b6be7547333d50b79f2faa08dd02c17a53900a12d3c83e296b5cde2e

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll
Filesize
5.1MB

MD5
a23f0ee9d64116f6c7147dcd1ef67c6f

SHA1
131ce068e236f40546739938749abac4eed9cddf

SHA256
6990fda9f8d3d9dad116aefdebe0ac442ef21d0c42b28e93bef29f80f0cc1a50

SHA512
39466dcc78956b64220c5514a2b48232e68933b5214370d4c0d16aba0082e3d0a05bc7af0478c3993f0c63fa1f888e9bc151aa37c40c90e8b3034e71e0fb804c

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
6f97cb1b2d3fcf88513e2c349232216a

SHA1
846110d3bf8b8d7a720f646435909ef80bbcaa0c

SHA256
6a031052be1737bc2767c3ea65430d8d7ffd1c9115e174d7dfb64ad510011272

SHA512
2919176296b953c9ef232006783068d255109257653ac5ccd64a3452159108890a1e8e7d6c030990982816166517f878f6032946a5558f8ae3510bc044809b07

Download Submit
C:\Program Files\McAfee\WebAdvisor\EventManager.dll
Filesize
4.3MB

MD5
522d3a1ba6ca58a669d0de49f731abfd

SHA1
4e4301a5f4d3931f74e6445abc20f3b0bf1d1133

SHA256
a07411b12627eb0a121d451c3406cdb1c37dd04141a763fa775bea9d6e63ca9c

SHA512
162854d2847c547c28f3e05c56e3adae26a3910d22ef1cc9f8d7f3dd8088b60bb7d8ca9acc97fe0c44fe519071a3c1e71bbcd13434d79a6ec8bc6a82cedc8241

Download Submit
C:\Program Files\McAfee\WebAdvisor\LookupManager.dll
Filesize
2.8MB

MD5
be9cb3433d1284a7689b8ee7afbb81ff

SHA1
5b4a0416a138c47af66556bbe2e1ef8229d35842

SHA256
90874835c2254624f9372b3b92fb3b9e90352f4e3dcd37b31b9ee05909f17652

SHA512
f25dcb278fcf217d61e453058f1c037f807a9734fb1cafc6ba5d36b16101db776e55796f991f10053de5446910eafa1a49dda5640ba1d222d4e5bb3034204495

Download Submit
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
Filesize
858KB

MD5
af384aa87e3d70f7a687c5c60da2fb7f

SHA1
32e4154ea9316bf82590e7480ae51283cb6b6e4c

SHA256
2976c862c9813b309f696f3cc96d516c96aa9b42545888615591d268f23f5762

SHA512
1cbb5dc5516d1143d022a1548893a2199491baa4b1327b5aa0398bbe42fd4e7f5e1a484d6a1f15124dff6d5d8bebc728b58442de388f34d1ead78e7ab9f8a852

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll
Filesize
1.9MB

MD5
1dda4e57701e0cccb6110c39c9358a82

SHA1
6b94553fb9d5dca7416fe732f5966bd9393dc65c

SHA256
b9233e27bc39d38dd73cfaef09d08eae86969d44c23ba839614d616b19adaa76

SHA512
95fbc786cfa33361ae518c170027a8141a8448de751ed8e7b998cfb058025ce4438c9cba2f24f268e6364f63920216cdad24c2cd1759485d1647eeebc9fce496

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsEventsConfig.luc
Filesize
7KB

MD5
053cb1c75fe305163f01bac3a42f0d01

SHA1
b81232e87c3b1af8f02e0def40cce77b430cef0e

SHA256
83779b8f7885e635e4bb16241a08394d65c771c32bf8f2aa2b221b393a74c021

SHA512
190f3167d25834506197e4a93030e40142c7289427f93635ea4986dd59c53c6a94c2e7c572acc3b18fb892c40c457e4037c4d3544b52ee083806bc5c1c218bf2

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsTelemetryHandler.luc
Filesize
2KB

MD5
c863696dc71d4f09215daf9c376314be

SHA1
2714c2d3a7bbd42f0b8b21e0a3409cf284fd95a6

SHA256
89fb1208a0be0e652aa381eb5fe6aaae192e1a14602bd416d93361a8ae41fa43

SHA512
9a0427a792c16774bc14a7be3f0bcda78f42c23f59bffe59cb6ba128f2a9ad92d05cfef51cd559835184d0257d1a2349e11a926f3337226ddec8d073b985940e

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\class.luc
Filesize
656B

MD5
0c5a014bada2cdf491e5d25597ac3b45

SHA1
e1edf93dd8a7743286f73335e6bad3dae1d81db5

SHA256
92ffdf2a2250ce3c4ecdc2c83a39f9aa42fc8326089112f9d3890bc21d5efaba

SHA512
55826a082f91f5308fc3495b788ab3aa35a474d58cd3747ae4ea3fcdf008967b7b135d8236eadaf5ab0dd40d089ab3b02d48c64cdbaf5cbbebe39f1ff35ab332

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\dkjson.luc
Filesize
9KB

MD5
3075c06e2de277403c4ff91089fa89a3

SHA1
e7a14ac133cf75b001d307ee00a30e767a773c1c

SHA256
287df33a5e4c8753b802461cb94b79e486f34d2ee1337b5054ad896717265a32

SHA512
9f7b5f600f646a390243ef315a009aa419f3f597f8769369caab450b4d1ee4ed1d5c9ffa2bc163cc513e726f4624a69ed4f3dc5ffc9cf7c78f2ec1d5f4001da3

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\logger.luc
Filesize
699B

MD5
ff9e892a736b19bb258d46e2e1981bd6

SHA1
79fa36ca81453eb88af25671b982d3ea6ede740e

SHA256
be325147f65fa54cc22b3de4b6067af491ab8ca0a75d74d86476d0d1973f7b97

SHA512
21240f704496a33d4c43a71dfc7cebcea3974679101527bb7a9276354189a274a0bcc162903d977b829850d84bbc30ddfb7cea142f36249195529819d42284e8

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\DimensionConfig.luc
Filesize
27KB

MD5
674b61376e37e134b00008ff05ac555b

SHA1
02ccdf9ed717ceb3f24fd32ee245d93077258ca3

SHA256
0c5712c759ef99f68d0c1ccc9d273c5949fa4650768f506a6fb73e46ff557dd1

SHA512
4d6e4a97a787dd91672b4b18ba9a869df12ff3d85c1f34cb03c970f5462fd0c73e2e182f2b6b517fdcb01eb9e124c96bf6dc4d7eb04e2068cf46bcba39f6fd24

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\DimensionProcessor.luc
Filesize
1KB

MD5
b0f9c1a8ee5e0d4f9a7522332f47b451

SHA1
c009ac8785f1b7b95273b2f227df098fe5ca7b42

SHA256
191d64bd5af045aea5e53d8c52ee5416fd4bd85e51b16a0b478a9514a72d168a

SHA512
3b544fc422995a30c4537bf0da8cb6264c7bf174e43387bdc6924a8be509be1c6fa97e4671c98fe9a9acebf5864eae36851c89a55f7ca4d099eba0dd659385bb

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\events\TelemetryConfig.luc
Filesize
31KB

MD5
30269bc1def2cb47150b232b290c07ba

SHA1
0468f83507403c977164d229d90999e231acf290

SHA256
23318f270ae80f357bb64d99deec0cd5ce6e833e043bf07b22dd32052a8a79de

SHA512
0bbcd590871d29f5657bb14e1b231543db3484a3205706936392ba139e659463f6a2c1542a806ef31285d4845ce81e30d91340459265cb3d5a4232c6d5b40ec9

Download Submit
C:\Program Files\McAfee\WebAdvisor\telemetry\events\TelemetryHandler.luc
Filesize
2KB

MD5
40efa25d9511c8cd76bd62cc0fc6ed28

SHA1
7083f3291fd104ec5ccff55b92e6134b1f6b0261

SHA256
c4fcda06af774981610a12d4df36dd1de556aea5051f9a0a34051af48617a76f

SHA512
fd61b0012f05d1cb73bfc08731a50c21568f47a0381d3c26487b6b7b356a6eb8e986c6ba9b6d246efd383ee75233359d05c599d912796781f632746eac8fa9a2

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll
Filesize
2.9MB

MD5
daeb30acfabe42c4815d04673d167b63

SHA1
23ba3e0cf2bca87ab6a984a9d2f846bf5832e1b2

SHA256
f6bca637d5cf3d5eba4c9b48b6825ebd8a0f324a59b70d756e153b6585666ca7

SHA512
5678ce77b1b73eb0fbeb96ca305b411b4ad7b2c4a5ff78370c9f216dbed36386ffe6411328ddbd6476965c7acd89b4bc7c15de9354ee98c5b4f88d9968630440

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll
Filesize
646KB

MD5
29d2c8df586879a81d8b4e21c1916a4d

SHA1
221ee1eb754113636bdacd00a18f9e59661f4ebc

SHA256
ce6d31f4ca28d5ede624fd724e8a99cfb47776391a4339090b1abbbf7a0be4d8

SHA512
7cdbc57d37db1468960f871f55e639feee954661e0d159a38eccef6c2270606e32ad49779fe409ede69cae960fcfbc52e309115d7796a27ffae914a256377130

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll
Filesize
803KB

MD5
b2985f3137a70b3f64fee061ccc5f2fc

SHA1
6af2342ddc4acbf308d519c5857efe3f3733f55e

SHA256
2d7698e65aa98eb6bc73bd387b4fe3730f22096907e9d4eda206bf217ba0a7ac

SHA512
246f33db73132333ef140ccacb3479f38c72698d1bde960b698abc8509600a031fed67554db7b08328fba6da3372e0fcc252b11cfa712448b2b69e0d08f3f660

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll
Filesize
3.3MB

MD5
86dd7104f29b84681116801719336dec

SHA1
28493bc9fd3d0a5c8b2f6311f6d061c8286b612c

SHA256
4f98836c41b72b529c5b14e3001f71a1100772bae5392803176ebcab8fbd6c7b

SHA512
5179913f8ad2ce23276cbcc387a3789f02f824d59faba1cc8f12780c027a63256fa9a356c0a950b697ef0c2eaccd66f064445fda4952d092617186fc2e7169de

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
680B

MD5
bedd48e5748ade17027b167227af156c

SHA1
e8c063514962102c8cf81dc74580e299704115ec

SHA256
4443cc0544661e6741eeed7b30992df0c4f445d6e7eb1c90035713166d0aa159

SHA512
92662bc91f985d9a766ddfb4a35d75091ca55d22b9047aa4ef22818ec7b51562f74ae87cc973edecb6e3e3ec8379f3b210865ff70686651cade8f8d42a6c9fe2

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
87972cfcf6e1c659f2740602e4d900db

SHA1
74e3a8a1894edd66fe8c94bb84cf448e9378a6f1

SHA256
b0d321ec9ca32a27d51535bcd87fe93ec74544be09d9c8f158c7d79a02c19705

SHA512
d6ffb602154d9548e60744e7dc25c2140bcdf17b36b4676365cf233e7827acfd86db928269231c5bccbc6f20bb77858ce1ccc20c776320c328227b2919a9d1e3

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
2739db97b8001830596ddb729a426ae1

SHA1
2b315ae7b7fa8e93b6e7730a073df444fa80c50d

SHA256
a4fee8ce5e136bd135088e27c4bbf0c56fefa2b7282e02c60feded37d140d859

SHA512
fde56d0b5606163f8a7dba0c338d8ba130bee671e872315b73ead2f884c3a834b90b7f940e47c24dd56cfb41255ecf48c92c64ce539fc13700ba74e1d92a783e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt
Filesize
4KB

MD5
7276f1f8fe16d8947afcf8b8abb11c96

SHA1
8075c2549d82b5d4a9246c5c42b630573e6d03ab

SHA256
87f823dee1caa274f524fb9a1709c9c11347b620de8392d4f46be3a6a5f287d1

SHA512
9ea124ee2fe8f1bc1ce8b2d624946b5b99440bd38e24f0ac31813fb79965fd958aef572fbc8c943e7236a3dd293275613f607b5821934bf7b5f2c721999409d6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
8a2248219bda91bb8ffa7a04095320c0

SHA1
ba1cc24fc45054a015735030869e9f53081dacf8

SHA256
47b8c97b46bd6886d380dbafd0b787c624e3f381e62855d8ffb7bd810662db4c

SHA512
6bdad1aa185d3e922868d15a1d1328f7482d4422a91ed68d1824e60395a859ac51b82ef0ecad266b6f1c26cf391646b6b2a7c39c058d9c307d55a7ff5418b64d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
6KB

MD5
71c4bf876c58b6e3be5155f63d9d1be3

SHA1
f1d9df169019092a1d24c8b34c9f20284a462d70

SHA256
87a82af3d66189795ecb6fe67d1de6aef3293d2b09a495bf3c133798e73e152f

SHA512
25bbc9f47bb194b9fec05bbaef8fdf5208426a6ae9c30d9025a0e165422b55eaa00231671073b68e6d402f475850e3ba8c3dfd5cb81b17161be7771aff6b4627

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
3722e17c50f9a4f20680204787bf0996

SHA1
258c19928c7423607853d5f261a7341f01f91411

SHA256
eefacfb75d28443d6895a24a08545a90968d4dbce0cbcd9a5413693ecc0c4f63

SHA512
f05b369e1232bf03b4f435be248875a2be00296f157c85eb15bd5a8862d5f36c9356479fbc6dde01b981ecad0013d54b814374e88bd4fb254c690147ad5d0b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\2102619197.exe
Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\710429082.exe
Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E128.exe
Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe
Filesize
28.0MB

MD5
58b8915d4281db10762af30eaf315c9e

SHA1
1e8b10818226fa29bfa5cdd8c2595ba080b72a71

SHA256
c19df49f177f0fecf2d406ef7801a8d0e5641cb8a38b7b859cbf118cb5d0684e

SHA512
49247941a77f26ab599f948c66df21b6439e86d08652caa9b52ffbcefd80a8c685d75c8088361c98dde44936e44746c961f1828a5b9909fecd6ce9e7e6d2f794

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwa24D.tmp
Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
memory/3204-450-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-223-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-390-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-446-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-387-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-386-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-384-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-358-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-356-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-337-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-313-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-311-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-309-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-306-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-301-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-280-0x00007FF61D6B0000-0x00007FF61D6C0000-memory.dmp

Filesize
64KB

Download
memory/3204-269-0x00007FF6380E0000-0x00007FF6380F0000-memory.dmp

Filesize
64KB

Download
memory/3204-264-0x00007FF623340000-0x00007FF623350000-memory.dmp

Filesize
64KB

Download
memory/3204-255-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-254-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-253-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-252-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-251-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-242-0x00007FF634BA0000-0x00007FF634BB0000-memory.dmp

Filesize
64KB

Download
memory/3204-231-0x00007FF65C420000-0x00007FF65C430000-memory.dmp

Filesize
64KB

Download
memory/3204-320-0x00007FF610FE0000-0x00007FF610FF0000-memory.dmp

Filesize
64KB

Download
memory/3204-229-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-227-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-226-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-225-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-224-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-389-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-222-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-220-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-219-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-218-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-217-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-228-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-391-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-392-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-394-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-396-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-425-0x00007FF6203A0000-0x00007FF6203B0000-memory.dmp

Filesize
64KB

Download
memory/3204-405-0x00007FF60A220000-0x00007FF60A230000-memory.dmp

Filesize
64KB

Download
memory/3204-318-0x00007FF681640000-0x00007FF681650000-memory.dmp

Filesize
64KB

Download
memory/3204-323-0x00007FF681640000-0x00007FF681650000-memory.dmp

Filesize
64KB

Download
memory/3204-230-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-221-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-211-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-206-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-193-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-197-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-195-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-199-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-200-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-191-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-189-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-185-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-187-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-182-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-177-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-178-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-179-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download
memory/3204-180-0x00007FF61D2A0000-0x00007FF61D2B0000-memory.dmp

Filesize
64KB

Download