8992a1084fe37504e9e52077a1c8a73e75634c94f4493803de269cb1c2aa884f

Analysis

max time kernel
68s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75(1).exe
Size

28.5MB
MD5

c3f786eb369833607a8445337350f644
SHA1

20954ddfa14a121a18dd0c123abc7486984dcf4b
SHA256

8992a1084fe37504e9e52077a1c8a73e75634c94f4493803de269cb1c2aa884f
SHA512

fb7f74dba06b001b5d6c303664e90474fe4178ee0dfd90fa07773b3a6ae72db0a5098a5764035687f5106e0501d47c53cc39374506db27333a582b08cad5dc4d
SSDEEP

786432:Ml3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHCr:Ml3LMEXFhV0KAcNjxAItjU

Score

8^/10

discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3156	icacls.exe
4352	icacls.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wintypes.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\dxcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-0MPH6.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1826514012\uimanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\jquery-3.6.0.min.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-de-DE.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\gdi32full.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-5ECEC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-I9VS7.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\mcafee-logo-1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\mcafee_pc_install_icon.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\emitter.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_ai.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast-toggle-rebranding.html	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-SGSSR.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-MRTM4.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1826514012\jslang\wa-res-install-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-wss.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-fr-CA.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\msvcrt.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config	WZSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa_logo_upsell.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\about-icon.png	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\d3dhook.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-SNV67.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ext-install-toast.png	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\ntdll.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-MRAOQ.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-it-IT.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\shcore.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-es-MX.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-S0TN7.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1826514012\jquery-1.9.0.min.js	installer.exe
File created	C:\Program Files\McAfee\Temp1826514012\wa_logo.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\webadvisor_v2.mcafee.firefox.extension.json	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\updater.exe	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-cs-CZ.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\libmikmod64.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1826514012\wa-ui-install.js	installer.exe
File created	C:\Program Files\McAfee\Temp1826514012\jslang\wa-res-shared-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\Temp1826514012\jslang\wa-res-shared-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\servicehost.exe	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\tcc64-64.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\ss_logic.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\subscriptionstatus.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\aviary_client.js	ServiceHost.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dictionary.json	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\version.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-0NGAB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-SRP3Q.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_tooltip_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\nps\wa-controller-nps-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-CA.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\psapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\msimg32.pdb	cheatengine-x86_64-SSE4-AVX2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Executes dropped EXE 27 IoCs

pid	Process
4456	CheatEngine75(1).tmp
2760	saBSI.exe
3872	OperaSetup.exe
1652	WZSetup.exe
736	setup.exe
2028	setup.exe
1824	CheatEngine75.exe
2084	setup.exe
4784	CheatEngine75.tmp
3284	setup.exe
3944	setup.exe
4688	_setup64.tmp
3316	WeatherZeroService.exe
1896	WeatherZeroService.exe
3808	WeatherZeroService.exe
3000	Kernelmoduleunloader.exe
1736	windowsrepair.exe
4016	installer.exe
904	installer.exe
1532	ServiceHost.exe
2344	Cheat Engine.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5380	UIHost.exe
5968	Assistant_114.0.5282.21_Setup.exe_sfx.exe
4596	assistant_installer.exe
4732	assistant_installer.exe
5240	WeatherZero.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4112	sc.exe
4868	sc.exe

Loads dropped DLL 41 IoCs

pid	Process
4456	CheatEngine75(1).tmp
1652	WZSetup.exe
736	setup.exe
2028	setup.exe
2084	setup.exe
1652	WZSetup.exe
3284	setup.exe
3944	setup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
1652	WZSetup.exe
904	installer.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5380	UIHost.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5380	UIHost.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
5172	cheatengine-x86_64-SSE4-AVX2.exe
4596	assistant_installer.exe
4596	assistant_installer.exe
4732	assistant_installer.exe
4732	assistant_installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4268	4456	WerFault.exe	79
5160	4456	WerFault.exe	79

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75(1).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x001c00000002aadb-139.dat	nsis_installer_1
behavioral1/files/0x001c00000002aadb-139.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75(1).tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75(1).tmp

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
4456	CheatEngine75(1).tmp
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
2760	saBSI.exe
4784	CheatEngine75.tmp
4784	CheatEngine75.tmp
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe
1532	ServiceHost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTcbPrivilege	3808	WeatherZeroService.exe
Token: SeDebugPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreatePagefilePrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeShutdownPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeRestorePrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5172	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeIncBasePriorityPrivilege	5172	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4456	CheatEngine75(1).tmp
4784	CheatEngine75.tmp
5172	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4456	4440	CheatEngine75(1).exe	79
PID 4440 wrote to memory of 4456	4440	CheatEngine75(1).exe	79
PID 4440 wrote to memory of 4456	4440	CheatEngine75(1).exe	79
PID 4456 wrote to memory of 2760	4456	CheatEngine75(1).tmp	81
PID 4456 wrote to memory of 2760	4456	CheatEngine75(1).tmp	81
PID 4456 wrote to memory of 2760	4456	CheatEngine75(1).tmp	81
PID 4456 wrote to memory of 3872	4456	CheatEngine75(1).tmp	82
PID 4456 wrote to memory of 3872	4456	CheatEngine75(1).tmp	82
PID 4456 wrote to memory of 3872	4456	CheatEngine75(1).tmp	82
PID 4456 wrote to memory of 1652	4456	CheatEngine75(1).tmp	83
PID 4456 wrote to memory of 1652	4456	CheatEngine75(1).tmp	83
PID 4456 wrote to memory of 1652	4456	CheatEngine75(1).tmp	83
PID 3872 wrote to memory of 736	3872	OperaSetup.exe	84
PID 3872 wrote to memory of 736	3872	OperaSetup.exe	84
PID 3872 wrote to memory of 736	3872	OperaSetup.exe	84
PID 736 wrote to memory of 2028	736	setup.exe	85
PID 736 wrote to memory of 2028	736	setup.exe	85
PID 736 wrote to memory of 2028	736	setup.exe	85
PID 4456 wrote to memory of 1824	4456	CheatEngine75(1).tmp	86
PID 4456 wrote to memory of 1824	4456	CheatEngine75(1).tmp	86
PID 4456 wrote to memory of 1824	4456	CheatEngine75(1).tmp	86
PID 736 wrote to memory of 2084	736	setup.exe	87
PID 736 wrote to memory of 2084	736	setup.exe	87
PID 736 wrote to memory of 2084	736	setup.exe	87
PID 1824 wrote to memory of 4784	1824	CheatEngine75.exe	88
PID 1824 wrote to memory of 4784	1824	CheatEngine75.exe	88
PID 1824 wrote to memory of 4784	1824	CheatEngine75.exe	88
PID 4784 wrote to memory of 2976	4784	CheatEngine75.tmp	89
PID 4784 wrote to memory of 2976	4784	CheatEngine75.tmp	89
PID 2976 wrote to memory of 3956	2976	net.exe	91
PID 2976 wrote to memory of 3956	2976	net.exe	91
PID 736 wrote to memory of 3284	736	setup.exe	92
PID 736 wrote to memory of 3284	736	setup.exe	92
PID 736 wrote to memory of 3284	736	setup.exe	92
PID 3284 wrote to memory of 3944	3284	setup.exe	93
PID 3284 wrote to memory of 3944	3284	setup.exe	93
PID 3284 wrote to memory of 3944	3284	setup.exe	93
PID 4784 wrote to memory of 4268	4784	CheatEngine75.tmp	124
PID 4784 wrote to memory of 4268	4784	CheatEngine75.tmp	124
PID 4268 wrote to memory of 1020	4268	net.exe	96
PID 4268 wrote to memory of 1020	4268	net.exe	96
PID 4784 wrote to memory of 4868	4784	CheatEngine75.tmp	97
PID 4784 wrote to memory of 4868	4784	CheatEngine75.tmp	97
PID 4784 wrote to memory of 4112	4784	CheatEngine75.tmp	99
PID 4784 wrote to memory of 4112	4784	CheatEngine75.tmp	99
PID 4784 wrote to memory of 4688	4784	CheatEngine75.tmp	101
PID 4784 wrote to memory of 4688	4784	CheatEngine75.tmp	101
PID 4784 wrote to memory of 3156	4784	CheatEngine75.tmp	103
PID 4784 wrote to memory of 3156	4784	CheatEngine75.tmp	103
PID 1652 wrote to memory of 3316	1652	WZSetup.exe	105
PID 1652 wrote to memory of 3316	1652	WZSetup.exe	105
PID 1652 wrote to memory of 3316	1652	WZSetup.exe	105
PID 1652 wrote to memory of 1896	1652	WZSetup.exe	107
PID 1652 wrote to memory of 1896	1652	WZSetup.exe	107
PID 1652 wrote to memory of 1896	1652	WZSetup.exe	107
PID 4784 wrote to memory of 3000	4784	CheatEngine75.tmp	110
PID 4784 wrote to memory of 3000	4784	CheatEngine75.tmp	110
PID 4784 wrote to memory of 3000	4784	CheatEngine75.tmp	110
PID 4784 wrote to memory of 1736	4784	CheatEngine75.tmp	113
PID 4784 wrote to memory of 1736	4784	CheatEngine75.tmp	113
PID 4784 wrote to memory of 1736	4784	CheatEngine75.tmp	113
PID 2760 wrote to memory of 4016	2760	saBSI.exe	112
PID 2760 wrote to memory of 4016	2760	saBSI.exe	112
PID 4784 wrote to memory of 4352	4784	CheatEngine75.tmp	114

C:\Users\Admin\AppData\Local\Temp\CheatEngine75(1).exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75(1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\is-IP6V6.tmp\CheatEngine75(1).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IP6V6.tmp\CheatEngine75(1).tmp" /SL5="$70270,29027361,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine75(1).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      PID:4016
    - - C:\Program Files\McAfee\Temp1826514012\installer.exe
        
        "C:\Program Files\McAfee\Temp1826514012\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:904
- - C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod1_extract\OperaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod1_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a --server-tracking-blob=NmJlZGJlYTU4MGQwY2UwZDFiOTEyZjU2ZDEzNTRjOWVjYTY5ZTdmMjljMWMyMzcxM2VhZTBhMTIyMDEyMWFhNzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3MzIwMTQwMTIuMTg3MSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiZGM5MTY3MzctMjBjNy00ODFkLThhYjUtOTk2YTJlYTBlMWJjIn0=
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.185 --initial-client-data=0x330,0x334,0x338,0x32c,0x33c,0x71e8fb14,0x71e8fb20,0x71e8fb2c
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=736 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20241121162009" --session-guid=409e914c-e0b9-414c-b9a8-1e5f2cc449ca --server-tracking-blob="NWMyMWNhMWM3ZjcxZDM1OTIwNDRiMmJiYzZlOTMzYTVlMGYyZjg2MjFjOTEyNGYyMjc3YTE3ZDY0N2UzNzRmOTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczMjAxNDAxMi4xODcxIiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJkYzkxNjczNy0yMGM3LTQ4MWQtOGFiNS05OTZhMmVhMGUxYmMifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C06000000000000
        5⤵
        Enumerates connected drives
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.185 --initial-client-data=0x328,0x32c,0x33c,0x304,0x340,0x70e0fb14,0x70e0fb20,0x70e0fb2c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x8117a0,0x8117ac,0x8117b8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4732
- - C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod2_extract\WZSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3316
  - - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
      "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Users\Admin\AppData\Local\Temp\is-60LCU.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-60LCU.tmp\CheatEngine75.tmp" /SL5="$6004A,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        6⤵
        
        PID:3956
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        6⤵
        
        PID:1020
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        5⤵
        Launches sc.exe
        
        PID:4868
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        5⤵
        Launches sc.exe
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\is-D9DVC.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3A8
        5⤵
        Executes dropped EXE
        
        PID:4688
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:3156
    - - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        5⤵
        Executes dropped EXE
        
        PID:1736
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:4352
- - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
    "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2344
  - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
      "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 2292
    3⤵
    - Program crash
    PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1672
    3⤵
    - Program crash
    PID:5160

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3808
- C:\Program Files (x86)\WeatherZero\WeatherZero.exe
  "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=CCD826E47AD1C2C982AFDE521C99D6C7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5240
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swhryasi.cmdline"
    3⤵
    PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7E14.tmp"
      4⤵
      PID:3844

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1532
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5380
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4456 -ip 4456
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4456 -ip 4456
1⤵
PID:1568

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

Filesize
3.2MB

MD5
2b149ba4c21c66d34f19214d5a8d3067

SHA1
8e02148b86e4b0999e090667ef9b926a19b5ca7d

SHA256
95f0e021c978ddd88e2218a7467579255a5ae9552af2508c4243a4adec52d2b8

SHA512
c626f89bc01fdb659f4ee2cf86ba978f04e4bf0dec2624170c83c21d5ad29e20335566b1f7545d9badc4e47ca2ea90535c4cb08b4afa3457b72a5801053706d8

Download Submit
C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll

Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll

Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-D6TEP.tmp

Filesize
12.2MB

MD5
975978005568eaa452cce924c2256a43

SHA1
4e67760a5ef87971ae3a558668d23dd31a1e4408

SHA256
b48827776b40b317c0582df0bc2ac811b604e5e7525fde8187193d730b565318

SHA512
7acfa0b89881a7c0e65a357bb5e2f9ce7e3bb9fb947a289cafe90e4a8e71662bff7ce4e338f1752e083a4a49d159cb69a2058243a3dfd4b4975fe5eccaa659b7

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll

Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll

Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
74KB

MD5
f228d54f9f96d109503d3bc2099be95a

SHA1
792b2e746a60da1421fe382de3b249b5a4e0f261

SHA256
c796fe516023a91228c2f53ad26e3d32424b7fa6f881779f4b95b23773dfccc0

SHA512
e651f9b9e4569429720712f5ee857ac6c97bc6cb133e420fbb92c952f1e8760772e69e0ada243595f9d4fa12a7ccddaedafb30fe4a93be981d7530961de7496e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
d1d706e720f64588cc3432ae10af822c

SHA1
222c42b372a4d6e9832fcc4198f745a48d22f805

SHA256
ee1257559179497f7b487731f43391d75eb905dff1dca1f7c4083bf9c5bb28fc

SHA512
5c9217a1e92ca8deff1f6ed1e2c04d9b03eaa9f75b1025fda7d9e16e1978b5bcd1d5f4025aa725be7a1d45686cdfea60fcc352613c195cbd3c77917f79b38fb0

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
748B

MD5
168b9bef2e012d798ea8aada5b00ce12

SHA1
f6b653c9e247975831f7b2616d692a991ea407c3

SHA256
84f4c10852954debdcc8667a2130b9f49dc6dab3cd0d2c874e337ddd2a6ee61d

SHA512
089b50c453968d533291f2dc8402cf573a7714707017c576489b9cf7cb092784652d2d3c00a32255fab9773c1e098811aad8a6305430f1daae4cdba2afaf65a8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
96e1a308f9ad587f6464286297c876cf

SHA1
ba41ce0f56ee6a29a819c5956079ed305cd85882

SHA256
b05f32b4bdc4c6c6c992055124459234b9a5a85c0a143d649a237bb2451a68d5

SHA512
56078e3b4573b22b74a37ef084b6c441b64317861074b683bf533787617cbce2dbb729457b9189d832522bb7ee4e7a5c1b25485c3b056ea811f1586bc6015267

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
2311d37d7207a1fc47629998d690d422

SHA1
a335880fd1c15bd523d0ff910e5ddf0951089447

SHA256
beff96c24a1c2572b90e8b765a35d1ab1533959b973078212557116856d0f57e

SHA512
42dc462a7c5c8161c25c9031cd1381b88dec3ae69b937d9cdfc1b7c69eb7d9f3e3809f03853b25e77cdbb3119ff488c17b1f3d822264edabcffa97520e5d20e8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
a1f5d710f9de2261727c7509d85299bb

SHA1
0c2a61f92e6fd8d085ee9165bc2b3f215a170f9c

SHA256
57f2932becfed2ffa7d2b213f268fbb527d9bd96dd94dd99bfd8ae3dce94e25d

SHA512
c07d5afa5e8b2efeb53bebfa32438beb62e9c06d3117385cd58fd3277bd51b56f53f70e9bb9465711c69b8bc999ebfe447a8cbeed941011ac35a7efc08868440

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
7KB

MD5
7736e03788e27cdaa8ce10991f12e371

SHA1
f98adf199e4edbe926a28bb30739f00d7b4a02e2

SHA256
e7374e5335d372b41b001c678d508516ffde2b6438b3018b914b190e5f0a7d81

SHA512
2a1d9046e4f5ec35eb9b24b34630eaf4e2b2ac3314a286ea357e39704b6df98ef19ad52e7c4d0b264fa1166d8e93301047ae13f832e91b766ca41fea1dee2677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
9bb220b0f845967107e5835759c07269

SHA1
210d714084bfc6feb6b5edcafd0bdba739b226b8

SHA256
624fbf14126d8622ea96440e1d4a9473206139aaba4e69b42ac8275749ac3017

SHA512
fa72904390cfca5196f7999d5278f63446b44c4255a2a21788439f0166d2f27909c3c1830426031cea15065e20ec13bf7640c5e3e09dd464c887958a3fbad74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202411211620091\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS02FF95B7\setup.exe

Filesize
5.3MB

MD5
c13140d7a171a1fa5c97e6eca30b5e0e

SHA1
ef01a7da151d7a7f5d163238f3971fd38d6ef26e

SHA256
e524623280a21394bbc80b4b828d321ae52c51a2e525b5aab795d047b4cc282b

SHA512
fdbf981561b4b2f5c3db542b6ef663d5bb7861d9778b4b4a05c22678fa15ee466b9aeca93486d9a061505dcd0c68ac137e8cd007fccd2e0f5e3c8b88265cf85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_241121162008283736.dll

Filesize
4.8MB

MD5
8041aba8681b65aa3d51369aad8a152c

SHA1
b5c930d3623fdd1ec7be1b537ad52d14d8db0a67

SHA256
33aff26c9ea335abebbfcf2637f4c11500a09081b659153135d7c2ea6c8c48e6

SHA512
8c6930709ec72462755c4e9321bc5ae84040ceff08c8b142feeea2cf0c0b044562f92aeb6cf1b07fa1f0b0d13320a853fc6059addbaf4417db4510bb7438de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60LCU.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D9DVC.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\Opera_new.png

Filesize
49KB

MD5
b3a9a687108aa8afed729061f8381aba

SHA1
9b415d9c128a08f62c3aa9ba580d39256711519a

SHA256
194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

SHA512
14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\finish.png

Filesize
248KB

MD5
b24e872bd8f92295273197602aac8352

SHA1
2a9b0ebe62e21e9993aa5bfaaade14d2dda3b291

SHA256
41031efc4f7e322dc5ffacc94b9296fb28b9b922b1ce3b3da13bf659a5fd2985

SHA512
f08ac681abc4e0f6d7a1d1f2303169004e67c880f9353c0ed11dfab3eb511ddf841fa056f4090da8201c822c66ae55419c48cd87f11b9866feb46a3fe2c2af99

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\logo.png

Filesize
248KB

MD5
9cc8a637a7de5c9c101a3047c7fbbb33

SHA1
5e7b92e7ed3ca15d31a48ebe0297539368fff15c

SHA256
8c5c80bbc6b0fdb367eab1253517d8b156c85545a2d37d1ee4b78f3041d9b5db

SHA512
cf60556817dba2d7a39b72018f619b0dbea36fb227526943046b67d1ae501a96c838d6d5e3da64618592ac1e2fa14d4440baa91618aa66256f99ea2100a427b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\installer.exe

Filesize
22.8MB

MD5
6c677d78bb106707c70b39ee3d23f828

SHA1
1e9c0e5bfe8773e6ef7f26d16418af0b14f14e32

SHA256
bf369f1388d8baf1ed6edf4b4b4a0858b4b38599b4d01fb5190788680c1ad1a8

SHA512
0319e8c8c939daeae44b7ca84c525ce8af9a5783169521e2800cb41ac1f2aced69119aa415eef40def146ee94e3f7163ceb698a96a7f20ad65006ef21093c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod1.zip

Filesize
2.1MB

MD5
2b1386b120edbf5648c4eb3686528dbe

SHA1
05bffc60f06771d31b066f2c4b7f7496c06396f6

SHA256
9b1565e147ca5ebaac6c6b9cd0d6c3fb81c7f64a94440dc9adccd2493ccf499f

SHA512
4f54076ff03f22a3d0f0db39bee04140b09acccd7db559dbb86857db7a40837957358ac0ab26d4ccbabca78e74acd23c3822bab8b966caacd788079d82f39b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod1_extract\OperaSetup.exe

Filesize
2.1MB

MD5
2426acd7b85dd978557bff83ad69bb60

SHA1
c06f98a477ded323b24e6b6cfc5e40a8b1e52421

SHA256
48277176cfb7ff9083b0a764e394081ec94c9dd3d4113066d7094ed87e43d865

SHA512
ca828db69db3499d7981615e6f15dc9f53d75201b3b9903cf6fb50b45616c8a7ca6a6717d66b137f68e540b26207f212df6df607a2506b866a778753a0c12ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod2.zip

Filesize
5.9MB

MD5
7cc0288a2a8bbe014f9e344f3068c8f1

SHA1
eb47d401ae30a308dd66bdcafde06cdd35e25c94

SHA256
200e9bc4fcf2c6682ddc8c7f172a0d02befecd25ca882f66c6abc868a54b8975

SHA512
869f0a01ef0bcbbfc501c1786e14bffeaa2daaa00210c312874fc67a724c77ef61394bb5854b9a02af654cd045c4d39ae30d73f1b4ec8aa9e531dfeea1714476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\prod2_extract\WZSetup.exe

Filesize
6.0MB

MD5
3c17f28cc001f6652377d3b5deec10f0

SHA1
eeb13cf47836ff0a0d5cc380618f33e7818f9d75

SHA256
fa352552306b80f3f897f8f21d8579ae642c97d12298e113ae1adc03902c69b8

SHA512
240b31f29d439c09a56d3bf8d4a3ea14f75c2286e209e7df3f4ff301bfa3ad8228d7bebe01acea6f2f702a0ba7ecdb5583b97372725c77ef497e749740f644b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH281.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
3037e3d5409fb6a697f12addb01ba99b

SHA1
5d80d1c9811bdf8a6ce8751061e21f4af532f036

SHA256
a860bd74595430802f4e2e7ad8fd1d31d3da3b0c9faf17ad4641035181a5ce9e

SHA512
80a78a5d18afc83ba96264638820d9eed3dae9c7fc596312ac56f7e0ba97976647f27bd86ea586524b16176280bd26daed64a3d126c3454a191b0adc2bc4e35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IP6V6.tmp\CheatEngine75(1).tmp

Filesize
2.9MB

MD5
3e67c7ea104a3f19a13269c11b8a6bb8

SHA1
f66ad8f369e6ed09f61f94111da48bd34fcfb19c

SHA256
fb1e46662654e993800329cf196d5bb786b19a843569594e0dbf66325629fbcf

SHA512
b2518da5b057802974b1df48597e521f4e7bc18c1827b81124d73b98a1f182c66df5452ad8e1f9502a1bfdf85a4def878c5a3a02473e1904d5bf852abf67b8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF79F.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF79F.tmp\WeatherZeroNSISPlugin.dll

Filesize
695KB

MD5
2eaf88651d6de968bf14ec9db52fd3b5

SHA1
1c37626526572fdb6378aa4bedbf7b941886a9a1

SHA256
070190292df544da87f84dc8cf8ecc0a0337085a3fe744fa60ce00a6879b6146

SHA512
15754a8f097f9c8d7bda65fb881720af5e4c4db1e35f555563b9bafe6426a6a0e50953a47f628fe3dc0f461e48abbf77db7c997902ff483cf33396d0d8e2cd17

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
606bab351db02699f793e32d348e1b1c

SHA1
f83d2b540865e8c6939eb35d4d681ca6b68c3ef2

SHA256
896032686c5313684cf25309f81a4b8bcc1a5142f314d6ee96d17e7c8f838073

SHA512
d7583445273a152617c456b98a84c987382894be57ee9e51d1abf0ab4b0d204cbd3d7e812e6e676ab1cd731ea70845f8077d9176aa2d95711d52372ef1794bae

Download Submit
memory/904-1107-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1180-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1091-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1092-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1095-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1096-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1098-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1099-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1105-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1106-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1108-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1109-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1110-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1094-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1093-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1097-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1104-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1112-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1111-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1118-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1117-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1146-0x00007FF657000000-0x00007FF657010000-memory.dmp

Filesize
64KB

Download
memory/904-1246-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1244-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1237-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1235-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1234-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1231-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1227-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1218-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1217-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1211-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1185-0x00007FF644F30000-0x00007FF644F40000-memory.dmp

Filesize
64KB

Download
memory/904-1113-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1139-0x00007FF60C1A0000-0x00007FF60C1B0000-memory.dmp

Filesize
64KB

Download
memory/904-1224-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1125-0x00007FF65E520000-0x00007FF65E530000-memory.dmp

Filesize
64KB

Download
memory/904-1160-0x00007FF6255A0000-0x00007FF6255B0000-memory.dmp

Filesize
64KB

Download
memory/904-1116-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1115-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/904-1114-0x00007FF63B920000-0x00007FF63B930000-memory.dmp

Filesize
64KB

Download
memory/1640-2603-0x000000001AF90000-0x000000001B0C6000-memory.dmp

Filesize
1.2MB

Download
memory/1640-2602-0x000000001A920000-0x000000001ACF4000-memory.dmp

Filesize
3.8MB

Download
memory/1640-2601-0x0000000001190000-0x00000000011B0000-memory.dmp

Filesize
128KB

Download
memory/1824-1090-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1824-299-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1824-171-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4440-27-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4440-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4440-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4456-46-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/4456-25-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/4456-39-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/4456-42-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-40-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-28-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-149-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-34-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-26-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-35-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-33-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/4456-6-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-47-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-2530-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-298-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4456-1103-0x0000000002EF0000-0x0000000003030000-memory.dmp

Filesize
1.2MB

Download
memory/4784-1086-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4784-300-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download