fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a

Analysis

max time kernel
47s
max time network
49s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.6MB
MD5

e703b8ac5b3601deebbf05843c9a4e97
SHA1

ab154e32099776e432b4d2c31366985f27950cf1
SHA256

fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a
SHA512

8280af1c2455b37c13de60f1d4a4ab26fe7d03bed7f874b074afb4ae365f2380aa71525e7e649e924347c38efd601dd3a6b7924f56aa6c09932f24b5c2f03c65
SSDEEP

786432:dTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH2:d2EXFhV0KAcNjxAItj2

Score

8^/10

bootkit discovery evasion execution persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

avg_secure_browser_setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 17 IoCs

Processes:

CheatEngine75.tmpavg_antivirus_free_setup.exeavg_secure_browser_setup.exeWZSetup.exeCheatEngine75.exeCheatEngine75.tmp_setup64.tmpKernelmoduleunloader.exeWeatherZeroService.exeWeatherZeroService.exeWeatherZeroService.exeavg_antivirus_free_setup_x64.exewindowsrepair.exeinstup.exeCheat Engine.execheatengine-x86_64-SSE4-AVX2.exeWeatherZero.exe

pid	process
316	CheatEngine75.tmp
2884	avg_antivirus_free_setup.exe
1684	avg_secure_browser_setup.exe
572	WZSetup.exe
1592	CheatEngine75.exe
2980	CheatEngine75.tmp
2772	_setup64.tmp
1148	Kernelmoduleunloader.exe
1716	WeatherZeroService.exe
1924	WeatherZeroService.exe
2744	WeatherZeroService.exe
1796	avg_antivirus_free_setup_x64.exe
2932	windowsrepair.exe
612	instup.exe
2576	Cheat Engine.exe
3032	cheatengine-x86_64-SSE4-AVX2.exe
1636	WeatherZero.exe

Loads dropped DLL 64 IoCs

Processes:

CheatEngine75.exeCheatEngine75.tmpavg_secure_browser_setup.exeWZSetup.exeCheatEngine75.exeCheatEngine75.tmpavg_antivirus_free_setup.exeavg_antivirus_free_setup_x64.exeinstup.exeCheat Engine.execheatengine-x86_64-SSE4-AVX2.exeWerFault.exe

pid	process
2284	CheatEngine75.exe
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
316	CheatEngine75.tmp
1684	avg_secure_browser_setup.exe
572	WZSetup.exe
572	WZSetup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
316	CheatEngine75.tmp
1592	CheatEngine75.exe
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
2980	CheatEngine75.tmp
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
572	WZSetup.exe
2980	CheatEngine75.tmp
572	WZSetup.exe
572	WZSetup.exe
2980	CheatEngine75.tmp
2884	avg_antivirus_free_setup.exe
2884	avg_antivirus_free_setup.exe
2980	CheatEngine75.tmp
2980	CheatEngine75.tmp
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe
2980	CheatEngine75.tmp
2980	CheatEngine75.tmp
572	WZSetup.exe
2980	CheatEngine75.tmp
2980	CheatEngine75.tmp
2980	CheatEngine75.tmp
572	WZSetup.exe
2980	CheatEngine75.tmp
572	WZSetup.exe
1796	avg_antivirus_free_setup_x64.exe
572	WZSetup.exe
612	instup.exe
2576	Cheat Engine.exe
3032	cheatengine-x86_64-SSE4-AVX2.exe
3032	cheatengine-x86_64-SSE4-AVX2.exe
3032	cheatengine-x86_64-SSE4-AVX2.exe
3032	cheatengine-x86_64-SSE4-AVX2.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
2492	WerFault.exe
612	instup.exe
2492	WerFault.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1716 icacls.exe
2256 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1716	icacls.exe
2256	icacls.exe

Checks for any installed AV software in registry 1 TTPs 14 IoCs

Security Software Discovery

T1518.001

Processes:

instup.exeCheatEngine75.tmpavg_secure_browser_setup.exeavg_antivirus_free_setup_x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

avg_antivirus_free_setup_x64.exeinstup.exeavg_antivirus_free_setup.exeavg_secure_browser_setup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

CheatEngine75.tmpWZSetup.exe

description	ioc	process
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-44IEH.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-0B3N3.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\clibs64\is-1KVTP.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-A8A6R.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\dbghelp.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\gtutorial-i386.exe	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-5Q8Q0.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-0IPJO.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\symsrv.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-IFAPK.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-N57TB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-TRGDV.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-LU9T8.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-RLM4U.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\is-FVOVF.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-1IOJP.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\CEJVMTI.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\libmikmod64.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-UGF1L.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-02O25.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-FUSP3.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\is-DIA08.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-0SCTE.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-K5S00.tmp	CheatEngine75.tmp
File created	C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	WZSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-169FD.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-MFSHU.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-GFVDK.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\win32\is-PEIVS.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-MM16E.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-CNMHR.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\is-9NBV7.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-FSDTD.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-BRCIU.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\d3dhook.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\win64\is-SRBAN.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-20CN2.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-27I9Q.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\unins000.dat	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-Q132H.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-TO4K5.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\languages\is-VPNEP.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-E5TNI.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-4681Q.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-81QQD.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-VR9MN.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-PEDKM.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-E8PKB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\forms\is-FQKFB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-6DC7F.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-HMA22.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-7SMP8.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-T20OC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-9M2JA.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\languages\is-790S2.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-OFFS0.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\xml\is-HH8OM.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-D4I9H.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\win32\is-7CCAV.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-8JL3J.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-7KPGI.tmp	CheatEngine75.tmp

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2740 sc.exe
2664 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 316 WerFault.exe CheatEngine75.tmp

pid	process
2740	sc.exe
2664	sc.exe

pid	pid_target	process	target process
2492	316	WerFault.exe	CheatEngine75.tmp

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CheatEngine75.exeCheatEngine75.exeCheat Engine.exeWeatherZero.exeavg_secure_browser_setup.exeCheatEngine75.tmpWeatherZeroService.exeWeatherZeroService.exeCheatEngine75.tmpavg_antivirus_free_setup.exeWZSetup.exeKernelmoduleunloader.exeWeatherZeroService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2_extract\WZSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2_extract\WZSetup.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CheatEngine75.tmpinstup.exeavg_antivirus_free_setup_x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avg_antivirus_free_setup_x64.exe

Modifies registry class 64 IoCs

Processes:

CheatEngine75.tmpinstup.exeavg_antivirus_free_setup_x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "47"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "92"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "58"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "10"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "28"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Checking install conditions"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "45"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "7"	avg_antivirus_free_setup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "57"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avdump_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "4"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "89"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: avbugreport_x64_ais"	instup.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

avg_antivirus_free_setup.exeCheatEngine75.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp

Runs net.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

CheatEngine75.tmpavg_secure_browser_setup.exeCheatEngine75.tmpavg_antivirus_free_setup_x64.exe

pid	process
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
316	CheatEngine75.tmp
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
1684	avg_secure_browser_setup.exe
2980	CheatEngine75.tmp
2980	CheatEngine75.tmp
1796	avg_antivirus_free_setup_x64.exe
1796	avg_antivirus_free_setup_x64.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

avg_antivirus_free_setup_x64.exeinstup.exeWeatherZeroService.exe

description	pid	process
Token: 32	1796	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	1796	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	612	instup.exe
Token: 32	612	instup.exe
Token: SeTcbPrivilege	2744	WeatherZeroService.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

CheatEngine75.tmpCheatEngine75.tmpcheatengine-x86_64-SSE4-AVX2.exe

pid process

316 CheatEngine75.tmp
2980 CheatEngine75.tmp
3032 cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CheatEngine75.exeCheatEngine75.tmpCheatEngine75.exeCheatEngine75.tmpnet.exenet.exe

description	pid	process	target process
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 2284 wrote to memory of 316	2284	CheatEngine75.exe	CheatEngine75.tmp
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 2884	316	CheatEngine75.tmp	avg_antivirus_free_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 1684	316	CheatEngine75.tmp	avg_secure_browser_setup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 572	316	CheatEngine75.tmp	WZSetup.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 316 wrote to memory of 1592	316	CheatEngine75.tmp	CheatEngine75.exe
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 1592 wrote to memory of 2980	1592	CheatEngine75.exe	CheatEngine75.tmp
PID 2980 wrote to memory of 2452	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 2452	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 2452	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 2452	2980	CheatEngine75.tmp	net.exe
PID 2452 wrote to memory of 2060	2452	net.exe	net1.exe
PID 2452 wrote to memory of 2060	2452	net.exe	net1.exe
PID 2452 wrote to memory of 2060	2452	net.exe	net1.exe
PID 2980 wrote to memory of 1476	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 1476	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 1476	2980	CheatEngine75.tmp	net.exe
PID 2980 wrote to memory of 1476	2980	CheatEngine75.tmp	net.exe
PID 1476 wrote to memory of 2656	1476	net.exe	net1.exe
PID 1476 wrote to memory of 2656	1476	net.exe	net1.exe
PID 1476 wrote to memory of 2656	1476	net.exe	net1.exe
PID 2980 wrote to memory of 2664	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2664	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2664	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2664	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2740	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2740	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2740	2980	CheatEngine75.tmp	sc.exe
PID 2980 wrote to memory of 2740	2980	CheatEngine75.tmp	sc.exe

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\is-1MP2P.tmp\CheatEngine75.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MP2P.tmp\CheatEngine75.tmp" /SL5="$A01B6,29071676,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod0_extract\avg_antivirus_free_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod0_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5fco4SCi2DIcIJ4MNl3Prl70kxvsgpFCfG5xf4L8PEQrfEnYMPVEwiQncfM0wOxOFIhLV9HRc
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2884

C:\Windows\Temp\asw.88ca6255fc32eabe\avg_antivirus_free_setup_x64.exe
"C:\Windows\Temp\asw.88ca6255fc32eabe\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:92pTu5fco4SCi2DIcIJ4MNl3Prl70kxvsgpFCfG5xf4L8PEQrfEnYMPVEwiQncfM0wOxOFIhLV9HRc /cookie:mmm_irs_ppi_902_451_o /ga_clientid:34ed4df6-3ae8-4c7e-8f45-338a0f1f63cb /edat_dir:C:\Windows\Temp\asw.88ca6255fc32eabe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\Temp\asw.6112e3d7d4cff162\instup.exe
"C:\Windows\Temp\asw.6112e3d7d4cff162\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.6112e3d7d4cff162 /edition:15 /prod:ais /stub_context:1f1ad8e5-1b77-4349-8439-6bc9f6f86fa3:10012544 /guid:1e526387-c79c-4df9-a6e7-8e1e6a3629b2 /ga_clientid:34ed4df6-3ae8-4c7e-8f45-338a0f1f63cb /no_delayed_installation /silent /ws /psh:92pTu5fco4SCi2DIcIJ4MNl3Prl70kxvsgpFCfG5xf4L8PEQrfEnYMPVEwiQncfM0wOxOFIhLV9HRc /cookie:mmm_irs_ppi_902_451_o /ga_clientid:34ed4df6-3ae8-4c7e-8f45-338a0f1f63cb /edat_dir:C:\Windows\Temp\asw.88ca6255fc32eabe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod1_extract\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod1_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dEL9q9w6uTYwwG7LtIXOoYiPlHhlVS72BCtRlkHt7aKodB8bEjWMowgoeWIgDnIfybFWEk4IPc /make-default
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2_extract\WZSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:572

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924

C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\is-HE83A.tmp\CheatEngine75.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HE83A.tmp\CheatEngine75.tmp" /SL5="$50176,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\net.exe
"net" stop BadlionAntic
5⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BadlionAntic
6⤵
PID:2060

C:\Windows\system32\net.exe
"net" stop BadlionAnticheat
5⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BadlionAnticheat
6⤵
PID:2656

C:\Windows\system32\sc.exe
"sc" delete BadlionAntic
5⤵
- Launches sc.exe
PID:2664

C:\Windows\system32\sc.exe
"sc" delete BadlionAnticheat
5⤵
- Launches sc.exe
PID:2740

C:\Users\Admin\AppData\Local\Temp\is-OAAIB.tmp\_isetup\_setup64.tmp
helper 105 0x1F8
5⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\icacls.exe
"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
5⤵
- Modifies file permissions
PID:1716

C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148

C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
"C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
5⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\icacls.exe
"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
5⤵
- Modifies file permissions
PID:2256

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
"C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2576

C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
"C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 472
3⤵
- Loads dropped DLL
- Program crash
PID:2492

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Program Files (x86)\WeatherZero\WeatherZero.exe
"C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=3C6D58423DEBD20A0BDB6F716B458406
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll
Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll
Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\is-BRCIU.tmp
Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll
Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll
Filesize
140KB

MD5
0daf9f07847cceb0f0760bf5d770b8c1

SHA1
992cc461f67acea58a866a78b6eefb0cbcc3aaa1

SHA256
a2ac2ba27b0ed9acc3f0ea1bef9909a59169bc2eb16c979ef8e736a784bf2fa4

SHA512
b4dda28721de88a372af39d4dfba6e612ce06cc443d6a6d636334865a9f8ca555591fb36d9829b54bc0fb27f486d4f216d50f68e1c2df067439fe8ebbf203b6a

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll
Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll
Filesize
146KB

MD5
0eaac872aadc457c87ee995bbf45a9c1

SHA1
5e9e9b98f40424ad5397fc73c13b882d75499d27

SHA256
6f505cc5973687bbda1c2d9ac8a635d333f57c12067c54da7453d9448ab40b8f

SHA512
164d1e6ef537d44ac4c0fd90d3c708843a74ac2e08fa2b3f0fdd4a180401210847e0f7bb8ec3056f5dc1d5a54d3239c59fb37914ce7742a4c0eb81578657d24b

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll
Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll
Filesize
136KB

MD5
61ba5199c4e601fa6340e46bef0dff2d

SHA1
7c1a51d6d75b001ba1acde2acb0919b939b392c3

SHA256
8783f06f7b123e16042bb0af91ff196b698d3cd2aa930e3ea97cfc553d9fc0f4

SHA512
8ce180a622a5788bb66c5f3a4abfde62c858e86962f29091e9c157753088ddc826c67c51ff26567bfe2b75737897f14e6bb17ec89f52b525f6577097f1647d31

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll
Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll
Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\languages\language.ini
Filesize
283B

MD5
af5ed8f4fe5370516403ae39200f5a4f

SHA1
9299e9998a0605182683a58a5a6ab01a9b9bc037

SHA256
4aa4f0b75548d45c81d8e876e2db1c74bddfd64091f102706d729b50a7af53a5

SHA512
f070049a2fae3223861424e7fe79cbae6601c9bee6a56fadde4485ad3c597dc1f3687e720177ab28564a1faab52b6679e9315f74327d02aa1fb31e7b8233a80f

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll
Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll
Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll
Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll
Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\overlay.fx
Filesize
2KB

MD5
650c02fc9f949d14d62e32dd7a894f5e

SHA1
fa5399b01aadd9f1a4a5632f8632711c186ec0de

SHA256
c4d23db8effb359b4aa4d1e1e480486fe3a4586ce8243397a94250627ba4f8cc

SHA512
f2caaf604c271283fc7af3aa9674b9d647c4ac53dffca031dbf1220d3ed2e867943f5409a95f41c61d716879bed7c888735f43a068f1cc1452b4196d611cb76d

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll
Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll
Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll
Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll
Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll
Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll
Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ee9acb9648093b0c86e7a7123b165d54

SHA1
d2f3a22d59b8c316c7047911571b8a2d2f27a18b

SHA256
320d68643a281a71893515ae27171c11a4c6f8391d29330cb1bf8ba4ae508321

SHA512
4dfdae3b289b16dc91993899d5e612617a62b85523f1a4e64271f0b095daa06605e480b4882b9b60183a4466290c06908075635550055d36b50189fb804de7f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ee29396ebf3500657fedeb944569eee5

SHA1
dcbf99de8d6e44f5bb9386c6efaa0e0cd2f2b41d

SHA256
0e3378a8f21ddf81e4f05d9f5056cdf26a23287a253ea795da4d6168b4acb72f

SHA512
894230f96bd3846b9292ff56699cc872e8e9d9d85ae7cdeb019f04bb481faa6cd76ab2ebe28c467f66a656b0be7fa7a24a44a615972ba78a60aa9a6eea16091d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3647def7133a0b912df74c6febde9ab6

SHA1
8d0788cc43c2673b5229bc5af139c19c1c749392

SHA256
a54ef07754625753ad575b370f34ddff3e7ccb432fd68f1dcb0ab3e903d3efd1

SHA512
5960c745b5ec6998e66372d38342e97eebca3cfe038b0fbf9743f60a0c25d30880c3fb70129f85f45326ffd25d4df278e19d8b707ec7f4dec91d9737fd420f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF76B.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF78D.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HE83A.tmp\CheatEngine75.tmp
Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\AVG_AV.png
Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\AVG_BRW.png
Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\WeatherZero.png
Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\logo.png
Filesize
246KB

MD5
f3d1b8cd125a67bafe54b8f31dda1ccd

SHA1
1c6b6bf1e785ad80fc7e9131a1d7acbba88e8303

SHA256
21dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf

SHA512
c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod0.zip
Filesize
122KB

MD5
56b0d3e1b154ae65682c167d25ec94a6

SHA1
44439842b756c6ff14df658befccb7a294a8ea88

SHA256
434bfc9e005a7c8ee249b62f176979f1b4cde69484db1683ea07a63e6c1e93de

SHA512
6f7211546c6360d4be8c3bb38f1e5b1b4a136aa1e15ec5ae57c9670215680b27ff336c4947bd6d736115fa4dedea10aacf558b6988196f583b324b50d4eca172

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod1.zip
Filesize
5.7MB

MD5
6406abc4ee622f73e9e6cb618190af02

SHA1
2aa23362907ba1c48eca7f1a372c2933edbb7fa1

SHA256
fd83d239b00a44698959145449ebfcb8c52687327deac04455e77a710a3dfe1b

SHA512
dd8e43f8a8f6c6e491179240bdfefdf30002f3f2900b1a319b4251dfa9ca7b7f87ddf170ba868ab520f94de9cc7d1854e3bcfd439cad1e8b4223c7ee06d649f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod1_extract\avg_secure_browser_setup.exe
Filesize
5.8MB

MD5
591059d6711881a4b12ad5f74d5781bf

SHA1
33362f43eaf8ad42fd6041d9b08091877fd2efba

SHA256
99e8de20a35a362c2a61c0b9e48fe8eb8fc1df452134e7b6390211ab19121a65

SHA512
6280064a79ca36df725483e3269bc1e729e67716255f18af542531d7824a5d76b38a7dcefca048022c861ffcbd0563028d39310f987076f6a5da6c7898c1984c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2.zip
Filesize
5.9MB

MD5
7cc0288a2a8bbe014f9e344f3068c8f1

SHA1
eb47d401ae30a308dd66bdcafde06cdd35e25c94

SHA256
200e9bc4fcf2c6682ddc8c7f172a0d02befecd25ca882f66c6abc868a54b8975

SHA512
869f0a01ef0bcbbfc501c1786e14bffeaa2daaa00210c312874fc67a724c77ef61394bb5854b9a02af654cd045c4d39ae30d73f1b4ec8aa9e531dfeea1714476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod2_extract\WZSetup.exe
Filesize
6.0MB

MD5
3c17f28cc001f6652377d3b5deec10f0

SHA1
eeb13cf47836ff0a0d5cc380618f33e7818f9d75

SHA256
fa352552306b80f3f897f8f21d8579ae642c97d12298e113ae1adc03902c69b8

SHA512
240b31f29d439c09a56d3bf8d4a3ea14f75c2286e209e7df3f4ff301bfa3ad8228d7bebe01acea6f2f702a0ba7ecdb5583b97372725c77ef497e749740f644b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OAAIB.tmp\_isetup\_setup64.tmp
Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\StdUtils.dll
Filesize
195KB

MD5
7602b88d488e54b717a7086605cd6d8d

SHA1
c01200d911e744bdffa7f31b3c23068971494485

SHA256
2640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11

SHA512
a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3988.tmp\WeatherZeroNSISPlugin.dll
Filesize
695KB

MD5
2eaf88651d6de968bf14ec9db52fd3b5

SHA1
1c37626526572fdb6378aa4bedbf7b941886a9a1

SHA256
070190292df544da87f84dc8cf8ecc0a0337085a3fe744fa60ce00a6879b6146

SHA512
15754a8f097f9c8d7bda65fb881720af5e4c4db1e35f555563b9bafe6426a6a0e50953a47f628fe3dc0f461e48abbf77db7c997902ff483cf33396d0d8e2cd17

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\asw9926b9f97d40fc18.ini
Filesize
565B

MD5
422806d25af8644d5594c5c8bbdbc892

SHA1
5d3168a2478fbcb9c20b56e4bed05475ec037350

SHA256
df195a539ddbc86a099d18355ecdd9c7831ea503621428bf2fe143fd5e7a21a3

SHA512
00895ee5e2d55ca8bf201804b4da507d810253eff42a48dfd449971c39e8c0fb0ccbe6bc1eb2f017e73d9df2b2b9d74eecae3c60012b2c56655443225a367667

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\asw9926b9f97d40fc18.ini
Filesize
662B

MD5
86ec06f3a8e42fdaa76346a922fc6c88

SHA1
e84cd5ab318fbefcb788ccd35aafcfb1889f1844

SHA256
8fc6a1f48faaffdc1d52b69a542318f22d2883ff03177e89f7deda79b5bc6fd1

SHA512
10c30def9a6ab16f1c9b8fefe9adb42161a78450e26ec12d7796e22877465431074d395109215e37942d5bf51f3b7e7c68ba93d4f27bcd736931df5c54b5de97

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\config.def
Filesize
19KB

MD5
7599c69076d457f87aefa076fc975f21

SHA1
1b4a47f279686e6894c5e3c308d10108d122e301

SHA256
436d52729ba7a27d48ba31f20e4132f3f8de256e6da64acc57a54641a11ff24e

SHA512
39b31a569c7c6734710e17a407056cc333983a3aea591cc7ba0f3cb3cefeaafe3aa7ae52de29ac228d73c1bc0f0f0859b8f75592fe4a69c760041b24e204f1ba

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\part-setup_ais-15020c62.vpx
Filesize
5KB

MD5
d5b798d8816b252e7d718195dfeb8a8c

SHA1
860c5807fd491aeeb12d661d8cf2ecca4ca1639b

SHA256
75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

SHA512
16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\prod-pgm.vpx
Filesize
571B

MD5
80923428355b73a2a7f50c916da5b567

SHA1
e9e75bca2f0ad14278ce45b8f007d57c2c326394

SHA256
bbbfa65884b4d637eda3ec79a5ad745f48ed5035f69223e4201409fca479d09d

SHA512
d3073315a51bb1b0073bec2d5aff4fd3a7064660d9d6b54c8bbedff2128fe94804ac1d2a1df7a4baeae42ee010729abe84fbe37e609e6ea9ab49e7980fc737f9

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\servers.def
Filesize
27KB

MD5
0e2440b112daade4f0b6ecd73a85cc94

SHA1
274167033de5bc41279e35b51b9a590da8f0de94

SHA256
d3f80118df9b7edaa29e6963dd407cfbf242f51d17f11b171aa85ca4795b57f1

SHA512
71a10c70bfb1f35c4192702e3bf37bee3caf901605236d98a619932197191923c2ae014fcd64013faa498d0f90f63512254a57ff9849b549e8a8aad26f4b4369

Download Submit
C:\Windows\Temp\asw.6112e3d7d4cff162\servers.def.vpx
Filesize
1KB

MD5
dee85b4a27ab47c79566e6b45b2c9b12

SHA1
ee3b18a603768697f2df824c739f45b45e046a4b

SHA256
16ba9a4bc2a15c8b6bfb0d7de0ef9020a6b1c70ac19b41843b6f2ba3dbda29c8

SHA512
e24fd8e1e5bec30f5dec0ec0a7d6db0ed6e6b324482c8851f9cfe4d3d7499291d46303ebd4c317e28cb0f50a4dba7a2459ae97da3da75a19b30f456acf9e2a5c

Download Submit
\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
\Users\Admin\AppData\Local\Temp\is-1MP2P.tmp\CheatEngine75.tmp
Filesize
3.1MB

MD5
349c57b17c961abbe59730d3cc5614b2

SHA1
32278b8621491e587a08f0764501b8b8314fd94c

SHA256
de28f1f10d5136dc5b30ccb73750559cca91720533717e9398ee45a44c75481b

SHA512
54d54d8b682c8cf9b06452a493e96307bfd9b8193f21e8eb5e89ad4420e1f6e066cf8bdeb70444ebcf2297520a4716ae1910124f21cab98e012f0fd19783c1f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\CheatEngine75.exe
Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\prod0_extract\avg_antivirus_free_setup.exe
Filesize
229KB

MD5
26816af65f2a3f1c61fb44c682510c97

SHA1
6ca3fe45b3ccd41b25d02179b6529faedef7884a

SHA256
2025c8c2acc5537366e84809cb112589ddc9e16630a81c301d24c887e2d25f45

SHA512
2426e54f598e3a4a6d2242ab668ce593d8947f5ddb36aded7356be99134cbc2f37323e1d36db95703a629ef712fab65f1285d9f9433b1e1af0123fd1773d0384

Download Submit
\Users\Admin\AppData\Local\Temp\is-NEIS5.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\JsisPlugins.dll
Filesize
2.1MB

MD5
bd94620c8a3496f0922d7a443c750047

SHA1
23c4cb2b4d5f5256e76e54969e7e352263abf057

SHA256
c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644

SHA512
954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\Midex.dll
Filesize
126KB

MD5
581c4a0b8de60868b89074fe94eb27b9

SHA1
70b8bdfddb08164f9d52033305d535b7db2599f6

SHA256
b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd

SHA512
94290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\jsis.dll
Filesize
127KB

MD5
4b27df9758c01833e92c51c24ce9e1d5

SHA1
c3e227564de6808e542d2a91bbc70653cf88d040

SHA256
d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb

SHA512
666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\nsJSON.dll
Filesize
36KB

MD5
ddb56a646aea54615b29ce7df8cd31b8

SHA1
0ea1a1528faafd930ddceb226d9deaf4fa53c8b2

SHA256
07e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069

SHA512
5d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8

Download Submit
\Users\Admin\AppData\Local\Temp\nsj37C5.tmp\thirdparty.dll
Filesize
93KB

MD5
070335e8e52a288bdb45db1c840d446b

SHA1
9db1be3d0ab572c5e969fea8d38a217b4d23cab2

SHA256
c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc

SHA512
6f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c

Download Submit
\Users\Admin\AppData\Local\Temp\nst3988.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
memory/316-137-0x0000000003830000-0x0000000003970000-memory.dmp

Filesize
1.2MB

Download
memory/316-144-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/316-254-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/316-1028-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/316-1188-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/316-141-0x0000000003830000-0x0000000003970000-memory.dmp

Filesize
1.2MB

Download
memory/316-152-0x0000000003830000-0x0000000003970000-memory.dmp

Filesize
1.2MB

Download
memory/316-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/316-1119-0x0000000003830000-0x0000000003970000-memory.dmp

Filesize
1.2MB

Download
memory/316-148-0x0000000003830000-0x0000000003970000-memory.dmp

Filesize
1.2MB

Download
memory/1592-1092-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1592-312-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2980-1086-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download