hxxps://www[.]cheatengine[.]org/

Analysis

max time kernel
103s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cheatengine.org/

Score

8^/10

steam discovery evasion execution persistence phishing privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
796	CheatEngine75.exe
5296	CheatEngine75.tmp
3780	prod0.exe
5968	saBSI.exe
3764	CheatEngine75.exe
4344	u05hkpgp.exe
4320	CheatEngine75.tmp
5060	UnifiedStub-installer.exe
5812	_setup64.tmp
5656	installer.exe
5712	installer.exe
2180	rsSyncSvc.exe
5936	rsSyncSvc.exe
6092	Kernelmoduleunloader.exe
6940	ServiceHost.exe
5128	UIHost.exe
6396	windowsrepair.exe
6916	Cheat Engine.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
768	updater.exe

Loads dropped DLL 19 IoCs

pid	Process
5296	CheatEngine75.tmp
5712	installer.exe
996	regsvr32.exe
6616	regsvr32.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
5128	UIHost.exe
5128	UIHost.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
6628	cheatengine-x86_64-SSE4-AVX2.exe
5060	UnifiedStub-installer.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5876	icacls.exe
3836	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-hr-HR.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-74QDR.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\apphelp.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\women-on-laptop-features.png	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-56V11.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\hhctrl.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-P36TJ.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\transmitters\transmittimeout_azure.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-es-ES.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-8VLRI.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\ja.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logicmodule.dll	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\edgeonboarding.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\iertutil.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\Temp1408865533\jslang\wa-res-install-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\mcafee-logo-lg.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticseventsconfig.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\user_welcome.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\cfgmgr32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\init.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ext-install-toast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\wssversion.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\datasets_catalog.json	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-ko-KR.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-MVU8H.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\Temp1408865533\jslang\eula-en-US.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_utils_wps.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\settingsdblookup.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\dataset.js	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\comdlg32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\loading-spinner.gif	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_onboarding\edge-ext-toast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1408865533\jslang\wa-res-install-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\lowsearchusertargeting.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-hr-HR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1408865533\analyticsmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1408865533\uimanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\staticvalue.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-fi-FI.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-Q3EDC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-Q4NJU.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\cryptbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\toggle_on.png	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\clibs32\is-PG5PF.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-sk-SK.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-rebranding-bing.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-fr-FR.js	installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5160	sc.exe
5432	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3032	5296	WerFault.exe	128
6012	5296	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsrepair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u05hkpgp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{18E444B4-FBF2-4268-A8BB-2DC3B745AD52}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 904723.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 753082.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 896317.crdownload:SmartScreen	msedge.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	131	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	175	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	175	Cheat Engine 7.5 : luascript-CEVersionCheck

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3760	msedge.exe
3760	msedge.exe
3052	identity_helper.exe
3052	identity_helper.exe
6108	msedge.exe
6108	msedge.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
5968	saBSI.exe
4320	CheatEngine75.tmp
4320	CheatEngine75.tmp
5060	UnifiedStub-installer.exe
5060	UnifiedStub-installer.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe
6940	ServiceHost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	prod0.exe
Token: SeDebugPrivilege	5060	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	5060	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	5060	UnifiedStub-installer.exe
Token: SeDebugPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreatePagefilePrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeShutdownPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeRestorePrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	6628	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeIncBasePriorityPrivilege	6628	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe
3760	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 4452	3760	msedge.exe	82
PID 3760 wrote to memory of 4452	3760	msedge.exe	82
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 4416	3760	msedge.exe	83
PID 3760 wrote to memory of 3604	3760	msedge.exe	84
PID 3760 wrote to memory of 3604	3760	msedge.exe	84
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85
PID 3760 wrote to memory of 368	3760	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cheatengine.org/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff904ef46f8,0x7ff904ef4708,0x7ff904ef4718
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7504 /prefetch:8
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Users\Admin\Downloads\CheatEngine75.exe
  "C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\is-8TAF1.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8TAF1.tmp\CheatEngine75.tmp" /SL5="$1602A0,29071676,832512,C:\Users\Admin\Downloads\CheatEngine75.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:5296
  - - C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod0.exe" -ip:"dui=a5c5e2ae-85e3-447c-9e0b-c9a7b966d823&dit=20240928155428&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=a5c5e2ae-85e3-447c-9e0b-c9a7b966d823&dit=20240928155428&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=a5c5e2ae-85e3-447c-9e0b-c9a7b966d823&dit=20240928155428&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\u05hkpgp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u05hkpgp.exe" /silent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        
        PID:5500
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        
        PID:1516
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:2320
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        
        PID:7524
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        
        PID:7792
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        7⤵
        
        PID:8024
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        7⤵
        
        PID:8172
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        7⤵
        
        PID:8956
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        7⤵
        
        PID:1480
        
        C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
        7⤵
        
        PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5656
      - C:\Program Files\McAfee\Temp1408865533\installer.exe
        
        "C:\Program Files\McAfee\Temp1408865533\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5712
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6616
  - - C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\CheatEngine75.exe
      "C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\is-28NSE.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-28NSE.tmp\CheatEngine75.tmp" /SL5="$301C4,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4320
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        6⤵
        
        PID:4588
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        7⤵
        
        PID:1244
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        6⤵
        
        PID:6104
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        7⤵
        
        PID:4132
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        6⤵
        Launches sc.exe
        
        PID:5160
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        6⤵
        Launches sc.exe
        
        PID:5432
      - C:\Users\Admin\AppData\Local\Temp\is-3ECB1.tmp\_isetup\_setup64.tmp
        
        helper 105 0x45C
        6⤵
        Executes dropped EXE
        
        PID:5812
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:5876
      - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6092
      - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6396
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:3836
  - - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
      "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6916
    - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
        
        "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:6628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1864
      4⤵
      Program crash
      PID:3032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 1864
      4⤵
      Program crash
      PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:6548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3148 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
  2⤵
  PID:7212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
  2⤵
  PID:7380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7760 /prefetch:8
  2⤵
  PID:8156
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  PID:8752
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    PID:9000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,1616257128760020459,5210503566814167209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7856 /prefetch:2
  2⤵
  PID:6608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:5936

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6940
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:2204
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5296 -ip 5296
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5296 -ip 5296
1⤵
PID:4056

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
PID:2292

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
PID:6856

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
PID:8260
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  PID:7548

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
PID:5360

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\is-1K19L.tmp

Filesize
12.2MB

MD5
721e9610564998312367d8be08642ff3

SHA1
403929be54b63237d3cc5f7f4d31151f0fee8eab

SHA256
dc6b1e6f8c0589e89ea96b86618d6ffce91ab4858dbd74443b7370a710807f0b

SHA512
4d3fe8d7484d429f45e666f2662afef58b700d9065fb37c8a3a525f2b09e729dd5e389fd7a6050f6a0e44295f2a810b9b50d4eb683ac13be6ff7e794f6d0dcce

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\McAfee\Temp1408865533\analyticsmanager.cab

Filesize
1.8MB

MD5
948d496f4ad6e8b149db6056be02c8f7

SHA1
8e2aeec2e560e44fbe3c8364ed397982f8155c4c

SHA256
c52816565ae77cd08e0525b702379caf97e2436ed7efbd7411057b38741e52c4

SHA512
72947258a90fc7f82330abdef5586f77b8c7a0408cab349e19ee49102e7e80eec1526961925dec18af7b97490b19d9c88167915c10d4ce815e0322640d177f41

Download Submit
C:\Program Files\McAfee\Temp1408865533\analyticstelemetry.cab

Filesize
48KB

MD5
f580c51c1cb2e8337a2985310dd2fcbf

SHA1
b16d9c5235a3fcfb49a7a629b5a5b6aa481420bb

SHA256
cc03ec78334232f8204e62f73a9c547bf97ca205f2588d19be260a3ac742b2ad

SHA512
cacdb1927e150da7d66c4a0a02d165536c21b45f15f138a82036e9c399d9a534d1a9f9be87d70489757d5905d92152003fdd6b0273d1200d7158b66f1454862d

Download Submit
C:\Program Files\McAfee\Temp1408865533\browserhost.cab

Filesize
1.3MB

MD5
e9383df7daf869a69eee9ff7ec07989b

SHA1
0196df29cbdd819ac16df198396e08f92932c70c

SHA256
5487bab12503446edc939ed5b2928ef5e5237a987cfe2fbdcabe8d41ed7a956b

SHA512
f1cf7bb7d134e5f469a97b785e3b2179dae6b76e60adacfe86b5c8581b8330e615faac0c045c70e8d94238449997ded15f2e50d90e22a9c7fc2b3266170760ba

Download Submit
C:\Program Files\McAfee\Temp1408865533\browserplugin.cab

Filesize
4.8MB

MD5
5a0b1351afb4c6e82e1e2fdb040cfb40

SHA1
25f8de6c83a40daa388bd28d4f2de1080293e816

SHA256
b121285658ee1230f975dc834dcb5dfb1d9a80c8f2abdd9898dfc1ea877fee0a

SHA512
c66274c38998d0aa9064600b2bcde1a6a4ed551a4e00a0a622046e447843cd300bf15a14e2b361a54a47644cd3a16a68e3f78b884e6ec198d67385ee1d11cc0f

Download Submit
C:\Program Files\McAfee\Temp1408865533\eventmanager.cab

Filesize
1.5MB

MD5
37b3275879c23c99fbf4e6539fc4c8f6

SHA1
48c6fb2f083be017bcc7de3934321329c363bf9d

SHA256
5f93db4b3a5c08498f22903ad3196551d080c59b2283e988f5095d95ac47b700

SHA512
7dc01b625c1627e22c57b2c9e90e06ca2e4ceeacee2ffc5c21d5821c245314a68546429770fd0c9b1566bc8e7cd925347fc5efdd799f0296241dfe7c33da1cdc

Download Submit
C:\Program Files\McAfee\Temp1408865533\installer.exe

Filesize
2.9MB

MD5
c484b9d06655c8272d1d185e9c9a2496

SHA1
e55f7af8eac4e8dff8b2eb845b34d75c5937df9a

SHA256
db4ef534357ff1c2a0d6cf925743f0f904866404c71f446d8e771d14e8a94b7a

SHA512
a81895a53c46be9d990912592c9903d361c0bccc1d04da41f529b4542e7f0b8ca6050d9eeec20c17c7030d502abcc4c79e6e8996b09f83fc55e35a7bcc70dfb9

Download Submit
C:\Program Files\McAfee\Temp1408865533\l10n.cab

Filesize
263KB

MD5
9c392136d2f86c7943af5c5fba254697

SHA1
b0e4a19480b58e0d425d267e6721c2c1d6e1c1ee

SHA256
9fda6ad872e73260562d46932fe2323ecc8a93f176289c0f34a98743a6d10e98

SHA512
ff1411549e49b2545350fd044250200290223f7d4c4e000992163d707bc0b220c8e3c87af444ad5b8178e7e041f0488a6fb694a81b79371768e136f12acb84b5

Download Submit
C:\Program Files\McAfee\Temp1408865533\logicmodule.cab

Filesize
1.5MB

MD5
81f22bcf2faf5d08db345c82987a4b25

SHA1
af56eba04562a2c2a1d6def1c6cce3e01a89951d

SHA256
a40903e9d84fdbbde037e52cc46bbfec95112086e34d03c22e0c5f4619a54f45

SHA512
f749f0376d07e46010e7118ccb5e81ee0cbf88bfb484a35462811eeaa2046678c73d5e9e176c78badd08e2e34dd4dfcb1b94d20a879985551b37e4ac182b9e0a

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
bd4e67c9b81a9b805890c6e8537b9118

SHA1
f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27

SHA256
916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8

SHA512
92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog

Filesize
628B

MD5
789f18acca221d7c91dcb6b0fb1f145f

SHA1
204cc55cd64b6b630746f0d71218ecd8d6ff84ce

SHA256
a5ff0b9a9832b3f5957c9290f83552174b201aeb636964e061273f3a2d502b63

SHA512
eae74f326f7d71a228cae02e4455557ad5ca81e1e28a186bbc4797075d5c79bcb91b5e605ad1d82f3d27e16d0cf172835112ffced2dc84d15281c0185fa4fa62

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\Uninstall.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
192KB

MD5
dfbdb770e1978ed8be16217b71d088cd

SHA1
5bfdae715d9c66c4616a6b3d1e45e9661a36f2c0

SHA256
04d18ccd404a7b20e5ae3a17ca9a01be54f82b511e349379677e7e62aa6a68b9

SHA512
7d4801250d8449d3fcbf714351fe86d64201ad22ecbfaa91588046bb1ef88f22912a58689876ac7b1f94e83047920893b488589d14accf4570e5c116c667ef12

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
83ed77bfa8da5daebcc1234c2c5408e7

SHA1
15fa7d7062fb0da29478db231b49677ddd7fb6ea

SHA256
7ad515f08461f749448086013a4174416fb3e8cec3cfd9b4c12cbc2406695a06

SHA512
98a2283e7dd7c3a790a13a857c4b15676717b774f487f7a5b7daf3c864c57a617cd805073d61108e16b6834a1fc9c2eab13a3a6f84479c0efdcc1b759df6099d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
a472197fc592db80b5563513ef9e0058

SHA1
4e7b6af578312e7e2f989c540b381e9222ec3d85

SHA256
c0c6d85de1838ec4f2ee1223150148aa801ba9d3d1970862f815a84609719c3c

SHA512
53ba24c54a03e4ff94f69443e1ea8ed26ca2622768a3765cde1d5efd0c5efea3a14393291e6105ba1ed3606c386e178498c999aa3a753a0f06c1f2693f64ee80

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
92664552e5ad8fa484ada6fadbf31070

SHA1
317e98d90e760f4b1ddff4eee54876fd2208fa84

SHA256
67fd59e143bb2f186010c04730cf9fa785ed013361c54bea40150b8342b47262

SHA512
ffca06e6f5942221b4a72545f7ded7d3c769ab759051c653b9c9409d9e68f77917eab10d56bb6ba231ba06a34be93ffa831fcd283ca207e7ab756b974bfe0a1a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
748B

MD5
c28a65a036e1497a11075b7e254385e3

SHA1
10f4ab3e9d206a392b090d12beb18fde0fdf8d44

SHA256
6b5bc180687efae41f7d5db79e8950a27f91f20d2b2af4cdaf4015e2e8b81a33

SHA512
c658979f1a9bb01ec791ac9d6fdd3b561e9c593e26194133788698954eeb154ca4f2c63aee863f3fb8a54710963b3292b7c69ee7cb4dd03ac83f19131db183e5

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
c21915721886f4ea9ccfd09e6364d758

SHA1
1e6d41acf14bcb9b4024308bb0fa32e23ca136cf

SHA256
568163e187f1a6ac23526d636cc5691477d648c365223a641d5d3a64ddcfa6c1

SHA512
e32644f98ade412b87eaf749f1ff4d9eb9ffd691d9840b8a9321321c5dc8695f58a49c684ffbe053b5daf45a6d9f7d33433e8674d633038d7bcf365a8a58761a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
170218d5047320bb496e6682f9585a47

SHA1
5b84d4ad8ee8677f0f59bf30b05484ed3a254ca6

SHA256
e2aa2e3b62a5c735d62fa772040d2c0aa46695a7f24bbb9a2c2eba478fe2a5a1

SHA512
715a0fc55e5060744ba71cc4dbc3824da1aaf5f37cf8fe1df6b33601a9a138603415e4413cec09f06a280704b7869da7d7ab76fbe4ddd586e37892cb76c0e9f7

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
87ee01f3c79f10f12695a663db5a14d8

SHA1
c37c00cef047f221398dfffec2f84771744b0d71

SHA256
ca68a57040c2ad3ee35d2026ac9426070609cf05cffc9b7883b50e4af83f13d5

SHA512
436e349fd54c1b42ef28e82851221de476acc3d50f1cedc0101722ad967edae7b5d438fa074fb70446edf0b89baf550589376bd74bdfdda0379970b8103e7868

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
822B

MD5
968ed57aa758160e0e3effab850a63c8

SHA1
cd27efde6ba6dae234c097be367a1782bfc68b6c

SHA256
4eef851360f775508e121e581396cc79448b640806feff976e69525c7070715b

SHA512
70edfc73ce9816d40fef1b775525b97e2fd2d44b28f8feb0f77f27eefa92c8fdfab134ac53f9a19f8795ce6ca2107a21bd97953d691a5db8fcd22d7616c6f8fb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
b0e73b49e168bb38ee338d6421c97216

SHA1
06771843015b7b6c2f52711de37ff311541ba4e9

SHA256
bfd2ebbcd31169401b9e42f8f61e229130ffca6fc85c299137112af0636eba1b

SHA512
0f0908056499e752b8fc4d78b2d22a17d47c541ed0e5147fc5f3e04b563333b5c9cd7f64effbf5208018652289d07a32bfb2aede3f730e844ce9b4ce9e996089

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
981f7cf91bca9cbfb915ac1992778898

SHA1
54346627d48c9ef8d2ea472c1780a6b4cd168e69

SHA256
92c188ca7d057db1d2e7e8a4535113573326562c1055f6fb030f6cdc18d0bd3f

SHA512
05ab7ef6c7f2fc983377cc3673776a3d1773356789d5a576d69c62442c59f762bd1d001c485a426e8dc2b3e3d51043b6e94e576f307b994d41024420d229b5ab

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
a9306e8c45bc8c955ea28cc07120da7e

SHA1
01a919ff2f7c409d8d1a3280aa11b86cdf411e61

SHA256
91692698ced836610d539b6adc718e45821c37aaf358d52d2c06a11a687b2369

SHA512
544835a8d5d10d675e7bb0553d4445dbb6fc6951bfb56d68638d339bf9843cde036d151429d821e3ab93d47dd3818a9780bd8bf5797e0c3d37db6d3f9b9096c6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
5f664f9fd45c6b196d990fc797358e2c

SHA1
b6176412cb398df7162fef8e37d6ef5f955c403f

SHA256
591a86477d6f54adb813c71da4c516454932e87e90528b5ca716bbc98b9fadb0

SHA512
3a1fe83e9aef21bdcded803cf9a4abbd1ed0400adb0f3e669e44e1c53238d91312662870f7ae82208c8d426689fc3cac0ace1f9d8d5c01fcbcff86fca6db56c2

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8e5d0142d128377049eac51d602f906b

SHA1
c6255e9e84badbfe017c3774096b5827ea4ebc8d

SHA256
9524e6b742366a4ab1d57d3c5876b3de1f532c12fe75fd2a8bc4cbdf36cd3c95

SHA512
62191f2f3e3a59ab08be4384c56e6ab5f799d243cac60cd6dec066ad160cc9bd0df0642bf87584412dbdcae575ccfa82841540ed9c9b20c1c53a7dec017fed69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
c0a341bc95af6b6e50db7a0d399c449b

SHA1
16fca580f8f08dadf4ca0043fc96e0ad12c95f87

SHA256
79231e28b6633b6236b91b16949f37d23cfffe783350c2ba00549a497395a5b1

SHA512
583d6b3e4a05d57d513234d3ad9d22f21e1ac883812070ea2088e480de0e6773c1d60f69dd8b2d817f37aa79ec984d9fc80a40d585fda78a6b9eec9428509261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
efd8c7111ab6ccc95416c8c60dab37f7

SHA1
e461aa34c7c8c7a5e7741bb02908ffae22a487e0

SHA256
d9771169d2aa04aedbec8b0caabe766659389a87406fa21250290748326ea9e5

SHA512
021759214cf5bc28fecf242a3fbc72adfea2a22abcc8f29f0c691ded9270a17d1c0b99be725e8922e1c769a2fc03583d0e9096ef8824242bf393b539f0cb1544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a8cccb87a4bc465c1165cadba678586a

SHA1
179e68ec71a61c325afe8c61d7598ed44dd59039

SHA256
41ab1c028dd6031dd633c5689641154ce77f08fb4d38c64d1cd379db7a2d209c

SHA512
707bee8f722b8770bcf63aa7e795032032eeb25409dddd4de8a07678bd1bda6634a04848f562fe1e015de025675869097f0cb43d45de5e3a27affa6bef04dce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ee68694cfacb93f7cf3c2244e3b7cec

SHA1
866b94134acb2bbb78ee7f3e753bf3cea8a36ec2

SHA256
3bc2efdb66fbde314008daab2240108839f8c31b0cd6fef96a07a767576aa30f

SHA512
6a1c4155ac36054118c58b3f03c8cce276ae3644c87a5464e607849400e1345a6d62c9446e0d997fdb25a7c0c6469e17109735e1e2f010f1be5bbf7bac0eb9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2fd8cc943583a529d723aefe45379c2d

SHA1
adace8415df758064cfaeeec250062c85c7d0820

SHA256
ab9cb42f40d6850a2f0d5c82ebddd5f9f50f0ce1656e03dcfbbde464a24d59ee

SHA512
0999a1164de1d26b2b9db3af3f73718df67d9e6f01267b6305607b9391074a67b672a7aed976a20d54771f00761fd817099b0b4d60abcbeb86a3405bcac8d40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4c4912f4c4433e53ebbb8cfb5685cb2

SHA1
40d378e4d0a277aab074858db5ed83ffcb2628be

SHA256
f277bd705e37df5e90b73e1b796873c0ecf1759269ce52e4a8f9f9cb3e7876fc

SHA512
b7606d1dce9d2ab8e1b07fa21f3f6c1e0b7397b973a07e01ed6cc9edbf610848d0e984659c1a717439ddb0f641fdafa2624de0cad2a54ade95c108fb44ef5a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cf48e730b137f0725574b0a5cd242f94

SHA1
84acb3fb708bc42acc7af1b93eb613432c7eac71

SHA256
0d427cda7e246a497b408d8d0e08c437ba5c68fb48a67d9fb24b428b750d5f7e

SHA512
b6e6e7064f9d5cd585bbf7efaf640c3568078d45ab279a77d33fae313c54f60a53d1f5c648bbf439ac1aa4d96553f9e8bcbe10bb7360f18ea035c02955d09b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592ce2.TMP

Filesize
1KB

MD5
bedbce1e3878ae72fe59579ded45cb1f

SHA1
1c51ff9843e8784d207ca4b9b7288fad27e04db0

SHA256
04e5acccb19175ea4b3fb66c92f17f1f0c11d1e3c4fd1e1e8c349d4b3d6f3c50

SHA512
aeac0ba0eb82de91ba2b914b4694227bb45d95636f815e1889aa1f8340ee6c7cef077526b13e88bc545db782ea78c934e03b24a43ed3a33a6a7ae8ec6d2efdb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e46861dd1062c4e70afecb3743830765

SHA1
39eeb260b9da7db8b9971d22657984f87ab6a5a2

SHA256
da26471d08f6bd54893aacfb74ccd27a6c23218d6c4dd08bf829e3c86b10ce5f

SHA512
a2a1eca8f78cf58a6eb95bc25dabb1beb46db303dbe9c5ab040709e7747f8d50326708c220854b7d70eb90bd382ff04aebd03f1fb775f72ba22b873677ec00ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8311b76f156b6e9271951556ad286bd8

SHA1
32551d30e9717f7fb54f53364c5bb6a857ee526a

SHA256
2c3649d37f29a1d2549a2d3eeb988221daf66b95eca7efc94084cdb96234b57e

SHA512
22dcb61900e5650653de6ad3b6e6e06af74f00d79be11cf0cd37b7a7ee63ba4190016b45b88ee0f46e3d666e078c446169bee3bdae340ba955d8b7a441bbd18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1251ad7700a82b0e70559f98baadae6d

SHA1
0e58c4f0923faf50e4cf343072faa6f5609988b6

SHA256
250cff54db76ab82ec28ebd56155b0178b7e9245dc74710ebd1394264597b1c1

SHA512
98fd2fa1f7feba7409b13ed3efafdf98466059e70c043ae811e7ada78322e9637abaa3a5a50f1334bc324216b8277bf39465f4ec4d3d597f074ae43f9459c567

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\2ca8443c-30cf-44b1-a126-0b3458713758\UnifiedStub-installer.exe\assembly\dl3\1a87ce5a\705c13cf_be11db01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\2ca8443c-30cf-44b1-a126-0b3458713758\UnifiedStub-installer.exe\assembly\dl3\22aa1d2a\890e13cf_be11db01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\2ca8443c-30cf-44b1-a126-0b3458713758\UnifiedStub-installer.exe\assembly\dl3\8b4e17f4\f26004cf_be11db01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\2ca8443c-30cf-44b1-a126-0b3458713758\UnifiedStub-installer.exe\assembly\dl3\afcc8dfa\af3613cf_be11db01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F0517B8\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\logo.png

Filesize
246KB

MD5
f3d1b8cd125a67bafe54b8f31dda1ccd

SHA1
1c6b6bf1e785ad80fc7e9131a1d7acbba88e8303

SHA256
21dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf

SHA512
c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod0.exe

Filesize
32KB

MD5
e8053f7ce41e0a39e6f0f07af72e2987

SHA1
2ec3e4a71e8d0ccdcd4071d6184ed355966518b6

SHA256
db5b6a2c6216392fc9967450ccbec1c2f0692621edafba0fb206d0190d7efee0

SHA512
1b1b3c6abc61bf27884dfec4908771d454d4fdd8841baa70e6c0e27fd40d35d41f9c6ca64a81aab0b7994a21963a0fdac405e7915f607a0b44d5498a59126c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\installer.exe

Filesize
24.4MB

MD5
1f33ef139e68dd3964151053787a95e9

SHA1
e8dc0eb54526fb427e7cb7ee6c8d0ad330ba97b8

SHA256
a3a8e3067c8c1aade62617b6882c3dddd6d681994346c957f85c22a073c725b6

SHA512
c2896443e41ad4adc6f86e7e73897213dacb2eee93e249ac01a348f40ba3c2b8ee16f2b029c6a681ea694338ff6ffd126e0147b4a1509bf8e34b8edf202fc46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1BCJC.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-28NSE.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3ECB1.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8TAF1.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
349c57b17c961abbe59730d3cc5614b2

SHA1
32278b8621491e587a08f0764501b8b8314fd94c

SHA256
de28f1f10d5136dc5b30ccb73750559cca91720533717e9398ee45a44c75481b

SHA512
54d54d8b682c8cf9b06452a493e96307bfd9b8193f21e8eb5e89ad4420e1f6e066cf8bdeb70444ebcf2297520a4716ae1910124f21cab98e012f0fd19783c1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwaD58B.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4B98.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u05hkpgp.exe

Filesize
2.4MB

MD5
3f7713b1ae39ab0ada6e30297efc875d

SHA1
25f31c6f1598bbde3a73a6b7f3a1c5a510defea9

SHA256
6c5c5425a1d7fc1b4342e8dbaea02432f62bfa1ad2ed0d77425bb861d75c2aa0

SHA512
093cb170f64ff202de32198e70c252fe2d3e2724a0ae8f7d085f9ab6e28a36a71f69580ba7d34497ef8e7fe175936947d1a308c3725c5ace1f7e4fcd71a2ecc1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 714966.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\Downloads\f7d3212a-8c55-40d5-a6c1-a49f028d6b2a.tmp

Filesize
28.6MB

MD5
e703b8ac5b3601deebbf05843c9a4e97

SHA1
ab154e32099776e432b4d2c31366985f27950cf1

SHA256
fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a

SHA512
8280af1c2455b37c13de60f1d4a4ab26fe7d03bed7f874b074afb4ae365f2380aa71525e7e649e924347c38efd601dd3a6b7924f56aa6c09932f24b5c2f03c65

Download Submit
memory/796-288-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/796-255-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1480-5795-0x000001C55A690000-0x000001C55A6DA000-memory.dmp

Filesize
296KB

Download
memory/1480-5819-0x000001C575180000-0x000001C5753D8000-memory.dmp

Filesize
2.3MB

Download
memory/1480-5794-0x000001C55C3D0000-0x000001C55C3F8000-memory.dmp

Filesize
160KB

Download
memory/1480-5805-0x000001C55C4F0000-0x000001C55C534000-memory.dmp

Filesize
272KB

Download
memory/1480-5793-0x000001C55C490000-0x000001C55C4EA000-memory.dmp

Filesize
360KB

Download
memory/1480-5781-0x000001C55A690000-0x000001C55A6DA000-memory.dmp

Filesize
296KB

Download
memory/2292-5774-0x000002A29C6D0000-0x000002A29CA36000-memory.dmp

Filesize
3.4MB

Download
memory/2292-5777-0x000002A29C360000-0x000002A29C382000-memory.dmp

Filesize
136KB

Download
memory/2292-5776-0x000002A283B00000-0x000002A283B1A000-memory.dmp

Filesize
104KB

Download
memory/2292-5775-0x000002A29CA40000-0x000002A29CBBC000-memory.dmp

Filesize
1.5MB

Download
memory/3764-731-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3764-381-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3780-343-0x0000017674DA0000-0x0000017674DA8000-memory.dmp

Filesize
32KB

Download
memory/3780-344-0x0000017677800000-0x0000017677D28000-memory.dmp

Filesize
5.2MB

Download
memory/5060-521-0x000002BF6AB80000-0x000002BF6AC8C000-memory.dmp

Filesize
1.0MB

Download
memory/5060-5627-0x000002BF6DA60000-0x000002BF6DA9A000-memory.dmp

Filesize
232KB

Download
memory/5060-532-0x000002BF6D100000-0x000002BF6D122000-memory.dmp

Filesize
136KB

Download
memory/5060-531-0x000002BF6D300000-0x000002BF6D3B2000-memory.dmp

Filesize
712KB

Download
memory/5060-5670-0x000002BF6DA60000-0x000002BF6DA8E000-memory.dmp

Filesize
184KB

Download
memory/5060-6681-0x000002BF6C950000-0x000002BF6C99E000-memory.dmp

Filesize
312KB

Download
memory/5060-523-0x000002BF6D050000-0x000002BF6D096000-memory.dmp

Filesize
280KB

Download
memory/5060-3946-0x000002BF6DA00000-0x000002BF6DA58000-memory.dmp

Filesize
352KB

Download
memory/5060-5701-0x000002BF6DB40000-0x000002BF6DB70000-memory.dmp

Filesize
192KB

Download
memory/5060-3904-0x000002BF6D810000-0x000002BF6D860000-memory.dmp

Filesize
320KB

Download
memory/5060-717-0x000002BF6D620000-0x000002BF6D678000-memory.dmp

Filesize
352KB

Download
memory/5060-525-0x000002BF6D000000-0x000002BF6D030000-memory.dmp

Filesize
192KB

Download
memory/5060-535-0x000002BF6D2B0000-0x000002BF6D2DE000-memory.dmp

Filesize
184KB

Download
memory/5060-5640-0x000002BF6DA60000-0x000002BF6DA90000-memory.dmp

Filesize
192KB

Download
memory/5296-699-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5296-302-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/5296-376-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5296-320-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/5296-324-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/5296-287-0x0000000004C40000-0x0000000004D80000-memory.dmp

Filesize
1.2MB

Download
memory/5296-289-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5360-5986-0x0000019EC0A50000-0x0000019EC0A7E000-memory.dmp

Filesize
184KB

Download
memory/5360-5989-0x0000019ED93C0000-0x0000019ED9472000-memory.dmp

Filesize
712KB

Download
memory/5360-6111-0x0000019ED9A80000-0x0000019ED9A96000-memory.dmp

Filesize
88KB

Download
memory/5360-6107-0x0000019ED97C0000-0x0000019ED981E000-memory.dmp

Filesize
376KB

Download
memory/5360-6112-0x0000019ED94B0000-0x0000019ED94BA000-memory.dmp

Filesize
40KB

Download
memory/5360-6117-0x0000019EDAC70000-0x0000019EDAC78000-memory.dmp

Filesize
32KB

Download
memory/5360-6118-0x0000019EDAC90000-0x0000019EDAC9A000-memory.dmp

Filesize
40KB

Download
memory/5360-6041-0x0000019ED9AB0000-0x0000019ED9DA0000-memory.dmp

Filesize
2.9MB

Download
memory/5360-6149-0x0000019EDBDA0000-0x0000019EDBDA8000-memory.dmp

Filesize
32KB

Download
memory/5712-898-0x00007FF759410000-0x00007FF759420000-memory.dmp

Filesize
64KB

Download
memory/5712-788-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-853-0x00007FF741E20000-0x00007FF741E30000-memory.dmp

Filesize
64KB

Download
memory/5712-889-0x00007FF759410000-0x00007FF759420000-memory.dmp

Filesize
64KB

Download
memory/5712-845-0x00007FF72BF50000-0x00007FF72BF60000-memory.dmp

Filesize
64KB

Download
memory/5712-748-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-734-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-887-0x00007FF759410000-0x00007FF759420000-memory.dmp

Filesize
64KB

Download
memory/5712-733-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-824-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-865-0x00007FF759410000-0x00007FF759420000-memory.dmp

Filesize
64KB

Download
memory/5712-732-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-830-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-836-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-755-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-718-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-725-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-726-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-727-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-719-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-713-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-852-0x00007FF741E20000-0x00007FF741E30000-memory.dmp

Filesize
64KB

Download
memory/5712-711-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-708-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-703-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-704-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-705-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-743-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-781-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-822-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-746-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-744-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-783-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-806-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-749-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-740-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-739-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-786-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-738-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-706-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-737-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-793-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-790-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/5712-828-0x00007FF7261F0000-0x00007FF726200000-memory.dmp

Filesize
64KB

Download
memory/5712-736-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-735-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-745-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-747-0x00007FF753820000-0x00007FF753830000-memory.dmp

Filesize
64KB

Download
memory/5712-787-0x00007FF70EDE0000-0x00007FF70EDF0000-memory.dmp

Filesize
64KB

Download
memory/7548-6363-0x000002D698AC0000-0x000002D698AE6000-memory.dmp

Filesize
152KB

Download
memory/7548-6388-0x000002D69A880000-0x000002D69A8AC000-memory.dmp

Filesize
176KB

Download
memory/7548-6413-0x000002D69A920000-0x000002D69A948000-memory.dmp

Filesize
160KB

Download
memory/7548-6415-0x000002D6B3260000-0x000002D6B32E4000-memory.dmp

Filesize
528KB

Download
memory/8084-5956-0x000001E497970000-0x000001E49799A000-memory.dmp

Filesize
168KB

Download
memory/8084-5953-0x000001E4B2100000-0x000001E4B22C0000-memory.dmp

Filesize
1.8MB

Download
memory/8084-5949-0x000001E497970000-0x000001E49799A000-memory.dmp

Filesize
168KB

Download
memory/8172-5738-0x000001AD247C0000-0x000001AD247EE000-memory.dmp

Filesize
184KB

Download
memory/8172-5752-0x000001AD3ED00000-0x000001AD3ED3C000-memory.dmp

Filesize
240KB

Download
memory/8172-5751-0x000001AD3ECA0000-0x000001AD3ECB2000-memory.dmp

Filesize
72KB

Download
memory/8172-5735-0x000001AD247C0000-0x000001AD247EE000-memory.dmp

Filesize
184KB

Download
memory/8260-6035-0x000002A0674E0000-0x000002A06751A000-memory.dmp

Filesize
232KB

Download
memory/8260-6106-0x000002A067BD0000-0x000002A067BFA000-memory.dmp

Filesize
168KB

Download
memory/8260-6103-0x000002A067B90000-0x000002A067BC4000-memory.dmp

Filesize
208KB

Download
memory/8260-6108-0x000002A067D80000-0x000002A067DE6000-memory.dmp

Filesize
408KB

Download
memory/8260-6102-0x000002A067C50000-0x000002A067D02000-memory.dmp

Filesize
712KB

Download
memory/8260-6036-0x000002A067400000-0x000002A067426000-memory.dmp

Filesize
152KB

Download
memory/8260-5990-0x000002A067E20000-0x000002A0680A6000-memory.dmp

Filesize
2.5MB

Download
memory/8260-6116-0x000002A069860000-0x000002A069E04000-memory.dmp

Filesize
5.6MB

Download
memory/8260-5991-0x000002A067430000-0x000002A067496000-memory.dmp

Filesize
408KB

Download
memory/8260-5987-0x000002A067820000-0x000002A067B89000-memory.dmp

Filesize
3.4MB

Download
memory/8260-5988-0x000002A067300000-0x000002A06734F000-memory.dmp

Filesize
316KB

Download
memory/8260-5985-0x000002A067360000-0x000002A0673BE000-memory.dmp

Filesize
376KB

Download
memory/8260-6136-0x000002A067D10000-0x000002A067D52000-memory.dmp

Filesize
264KB

Download
memory/8260-5984-0x000002A066950000-0x000002A066980000-memory.dmp

Filesize
192KB

Download
memory/8260-6148-0x000002A069530000-0x000002A0697B0000-memory.dmp

Filesize
2.5MB

Download
memory/8260-5970-0x000002A067570000-0x000002A067818000-memory.dmp

Filesize
2.7MB

Download
memory/8260-6159-0x000002A0681F0000-0x000002A068222000-memory.dmp

Filesize
200KB

Download
memory/8260-6168-0x000002A0674D0000-0x000002A0674D8000-memory.dmp

Filesize
32KB

Download
memory/8260-6169-0x000002A068230000-0x000002A068256000-memory.dmp

Filesize
152KB

Download
memory/8260-6185-0x000002A0693B0000-0x000002A0693D8000-memory.dmp

Filesize
160KB

Download
memory/8260-6211-0x000002A069410000-0x000002A069442000-memory.dmp

Filesize
200KB

Download
memory/8260-5969-0x000002A067260000-0x000002A067286000-memory.dmp

Filesize
152KB

Download
memory/8260-5955-0x000002A066C30000-0x000002A066C54000-memory.dmp

Filesize
144KB

Download
memory/8260-6232-0x000002A069480000-0x000002A0694AC000-memory.dmp

Filesize
176KB

Download
memory/8260-6242-0x000002A0697B0000-0x000002A069818000-memory.dmp

Filesize
416KB

Download
memory/8260-5954-0x000002A066C00000-0x000002A066C28000-memory.dmp

Filesize
160KB

Download
memory/8260-6248-0x000002A069E10000-0x000002A069E90000-memory.dmp

Filesize
512KB

Download
memory/8260-6258-0x000002A069E90000-0x000002A069F06000-memory.dmp

Filesize
472KB

Download
memory/8260-6270-0x000002A069F70000-0x000002A069FC4000-memory.dmp

Filesize
336KB

Download
memory/8260-6273-0x000002A069500000-0x000002A06952A000-memory.dmp

Filesize
168KB

Download
memory/8260-6342-0x000002A069F10000-0x000002A069F3C000-memory.dmp

Filesize
176KB

Download
memory/8260-6319-0x000002A069820000-0x000002A069854000-memory.dmp

Filesize
208KB

Download
memory/8260-6343-0x000002A06A150000-0x000002A06A2C6000-memory.dmp

Filesize
1.5MB

Download
memory/8260-6349-0x000002A069F40000-0x000002A069F6A000-memory.dmp

Filesize
168KB

Download
memory/8260-6352-0x000002A06A2D0000-0x000002A06A3D0000-memory.dmp

Filesize
1024KB

Download
memory/8260-6358-0x000002A06A030000-0x000002A06A084000-memory.dmp

Filesize
336KB

Download
memory/8260-6360-0x000002A069FD0000-0x000002A069FF8000-memory.dmp

Filesize
160KB

Download
memory/8260-6361-0x000002A06A000000-0x000002A06A028000-memory.dmp

Filesize
160KB

Download
memory/8260-5950-0x000002A066B80000-0x000002A066BAE000-memory.dmp

Filesize
184KB

Download
memory/8260-5844-0x000002A066BC0000-0x000002A066BF2000-memory.dmp

Filesize
200KB

Download
memory/8260-5828-0x000002A0671E0000-0x000002A067258000-memory.dmp

Filesize
480KB

Download
memory/8260-5827-0x000002A066B00000-0x000002A066B2A000-memory.dmp

Filesize
168KB

Download
memory/8260-5826-0x000002A067150000-0x000002A0671D8000-memory.dmp

Filesize
544KB

Download
memory/8260-6416-0x000002A067C40000-0x000002A067C48000-memory.dmp

Filesize
32KB

Download
memory/8260-6430-0x000002A06AE30000-0x000002A06AE54000-memory.dmp

Filesize
144KB

Download
memory/8260-5823-0x000002A066B40000-0x000002A066B78000-memory.dmp

Filesize
224KB

Download