Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
Analysis ID:	1483536
MD5:	28a85ba5396fcfa8a5f794f04dce35e4
SHA1:	c730d730e167d68a41a8382823c181ff9a75a891
SHA256:	d77fbaa35585f25de3f492e4e3d0bfa6f0f73b053fd6a64058766fef75eca04e
Tags:	exe
Infos:

Detection

PureLog Stealer

Score:	46
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	51
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Submitted sample is a known malware sample

.NET source code contains method to dynamically call methods (often used by packers)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs Task Scheduler Managed Wrapper

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Generic Downloader

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

query blbeacon for getting browser version

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe" MD5: 28A85BA5396FCFA8A5F794F04DCE35E4)

SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp" /SL5="$20462,29086952,780800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe" MD5: C47A946F3D41363C77CA4C719516E49B)

prod0.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true MD5: 36D1B7C42C37FF8217B07851D0C4C39A)

3yq4abxg.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\Temp\3yq4abxg.exe" /silent MD5: 70FD2613E8171383FCB917E2F22B71A2)

UnifiedStub-installer.exe (PID: 7656 cmdline: .\UnifiedStub-installer.exe /silent MD5: C7FE1EB6A82B9FFAAF8DCA0D86DEF7CA)

rsSyncSvc.exe (PID: 3820 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10 MD5: CC7167823D2D6D25E121FC437AE6A596)

conhost.exe (PID: 4300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

saBSI.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US MD5: 143255618462A577DE27286A272584E1)

WZSetup.exe (PID: 7584 cmdline: "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123 MD5: 3C17F28CC001F6652377D3B5DEEC10F0)

WeatherZeroService.exe (PID: 7776 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install MD5: 2B149BA4C21C66D34F19214D5A8D3067)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WeatherZeroService.exe (PID: 2756 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent MD5: 2B149BA4C21C66D34F19214D5A8D3067)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CheatEngine75.exe (PID: 2564 cmdline: "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST MD5: E0F666FE4FF537FB8587CCD215E41E5F)

CheatEngine75.tmp (PID: 5672 cmdline: "C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp" /SL5="$901D6,26511452,832512,C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST MD5: 9AA2ACD4C96F8BA03BB6C3EA806D806F)

net.exe (PID: 1564 cmdline: "net" stop BadlionAntic MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5488 cmdline: C:\Windows\system32\net1 stop BadlionAntic MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

net.exe (PID: 1928 cmdline: "net" stop BadlionAnticheat MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2080 cmdline: C:\Windows\system32\net1 stop BadlionAnticheat MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

sc.exe (PID: 2288 cmdline: "sc" delete BadlionAntic MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2852 cmdline: "sc" delete BadlionAnticheat MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

_setup64.tmp (PID: 3456 cmdline: helper 105 0x44C MD5: E4211D6D009757C078A9FAC7FF4F03D4)

conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 4640 cmdline: "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX) MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Kernelmoduleunloader.exe (PID: 4700 cmdline: "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP MD5: 9AF96706762298CF72DF2A74213494C9)

windowsrepair.exe (PID: 5376 cmdline: "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s MD5: 9A4D1B5154194EA0C42EFEBEB73F318F)

icacls.exe (PID: 4216 cmdline: "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX) MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Cheat Engine.exe (PID: 416 cmdline: "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe" MD5: F921416197C2AE407D53BA5712C3930A)

cheatengine-x86_64-SSE4-AVX2.exe (PID: 4256 cmdline: "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe" MD5: 910DE25BD63B5DA521FC0B598920C4EC)

rsSyncSvc.exe (PID: 4536 cmdline: "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10 MD5: CC7167823D2D6D25E121FC437AE6A596)

Uninstall.exe (PID: 7804 cmdline: "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=UnifiedStub MD5: 8157D03D4CD74D7DF9F49555A04F4272)

Stub.exe (PID: 7800 cmdline: "C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe" /products=epp /auto-repair=UnifiedStub MD5: 70FD2613E8171383FCB917E2F22B71A2)

UnifiedStub-installer.exe (PID: 7380 cmdline: .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub MD5: C7FE1EB6A82B9FFAAF8DCA0D86DEF7CA)

Stub.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub MD5: 70FD2613E8171383FCB917E2F22B71A2)

WeatherZeroService.exe (PID: 6924 cmdline: "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" MD5: 2B149BA4C21C66D34F19214D5A8D3067)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsTime.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsLogger.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsAtom.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsJSON.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsTime.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsTime.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsDatabase.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author
0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3319865235.0000019B4C9D2000.00000002.00000001.01000000.00000031.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.3282773301.0000019B32872000.00000002.00000001.01000000.00000030.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000031.00000003.2235185447.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: cheatengine-x86_64-SSE4-AVX2.exe PID: 4256	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
32.3.Stub.exe.2ea9f48.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2ee1058.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.UnifiedStub-installer.exe.19b4c9d0000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.UnifiedStub-installer.exe.19b32870000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2ee1058.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2eb9f48.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
45.2.UnifiedStub-installer.exe.1fa16d80000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
32.3.Stub.exe.2ed1058.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2eb9f48.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2e64ca4.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2ee1058.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2eb9f48.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
49.3.Stub.exe.2eb9f48.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2eb9f48.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.3.3yq4abxg.exe.2eb9f48.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
32.3.Stub.exe.2ea9f48.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
32.3.Stub.exe.2ea9f48.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
32.3.Stub.exe.2ed1058.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2ee1058.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
32.3.Stub.exe.2e54ca4.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
49.3.Stub.exe.2e40000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2e64ca4.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.3yq4abxg.exe.2e40000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
32.3.Stub.exe.2e30000.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "net" stop BadlionAntic, CommandLine: "net" stop BadlionAntic, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp" /SL5="$901D6,26511452,832512,C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST, ParentImage: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp, ParentProcessId: 5672, ParentProcessName: CheatEngine75.tmp, ProcessCommandLine: "net" stop BadlionAntic, ProcessId: 1564, ProcessName: net.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "net" stop BadlionAntic, CommandLine: "net" stop BadlionAntic, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp" /SL5="$901D6,26511452,832512,C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST, ParentImage: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp, ParentProcessId: 5672, ParentProcessName: CheatEngine75.tmp, ProcessCommandLine: "net" stop BadlionAntic, ProcessId: 1564, ProcessName: net.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.8

Timestamp:	2024-07-28T00:42:46.302134+0200
SID:	2022930
Source Port:	443
Destination Port:	49746
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:05.132066+0200
SID:	2053283
Source Port:	49713
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.8 - Destination IP: 146.185.153.16

Timestamp:	2024-07-28T00:43:08.257538+0200
SID:	2803305
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.8 - Destination IP: 146.185.153.16

Timestamp:	2024-07-28T00:43:07.054429+0200
SID:	2803305
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:41:56.746449+0200
SID:	2053283
Source Port:	49707
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:36.134525+0200
SID:	2053283
Source Port:	49728
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:03.851118+0200
SID:	2053283
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:00.673154+0200
SID:	2053283
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:34.298833+0200
SID:	2053283
Source Port:	49725
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:31.158635+0200
SID:	2053283
Source Port:	49723
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.8

Timestamp:	2024-07-28T00:42:08.010918+0200
SID:	2022930
Source Port:	443
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:54.309052+0200
SID:	2053283
Source Port:	49750
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET ADWARE_PUP Win32/OfferCore Checkin M2 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:42:02.064048+0200
SID:	2053283
Source Port:	49711
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.8 - Destination IP: 104.20.94.94

Timestamp:	2024-07-28T00:43:12.900165+0200
SID:	2803274
Source Port:	49763
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.8 - Destination IP: 104.20.94.94

Timestamp:	2024-07-28T00:43:11.985969+0200
SID:	2803274
Source Port:	49761
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET ADWARE_PUP Win32/OfferCore Checkin M1 - Source IP: 192.168.2.8 - Destination IP: 18.173.206.112

Timestamp:	2024-07-28T00:41:55.357573+0200
SID:	2053280
Source Port:	49706
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

ReversingLabs: Detection: 47%

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F314F0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CryptMsgGetParam,CertFreeCRLContext,CertFreeCRLContext,	5_2_00F314F0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F317A0 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptQueryObject,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	5_2_00F317A0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE5870 GetCurrentProcessId,GetCurrentThreadId,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,CreateFileW,UuidCreate,UuidCreate,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	5_2_00EE5870
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE6220 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	5_2_00EE6220
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1E610 CryptMsgClose,	5_2_00F1E610
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE67B0 GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,	5_2_00EE67B0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1EB60 CryptQueryObject,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptQueryObject,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CryptMsgClose,CertCloseStore,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,CryptMsgClose,CertCloseStore,	5_2_00F1EB60
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1F150 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertFreeCRLContext,	5_2_00F1F150
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1F3C0 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,CertGetSubjectCertificateFromStore,CertGetNameStringW,CertGetNameStringW,CertGetCertificateChain,CertFreeCertificateChain,CertFreeCertificateChain,CertVerifyCertificateChainPolicy,CertFreeCertificateChain,CertFreeCRLContext,CertFreeCRLContext,	5_2_00F1F3C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824D14A0 CryptQueryObject,GetLastError,CryptMsgGetParam,GetLastError,LocalAlloc,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,CertGetNameStringW,CertGetNameStringW,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,	25_2_00007FF7824D14A0

Compliance

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-1U45L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-KLETU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MV96K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-1HAUB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-04JI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-R767B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-APHCK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-UJMF9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-OUQ5Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-OH84O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-F9V6M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-A3GKJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-356FE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-7KKVU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-HNC5I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SBH22.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-VP6HP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AJB6K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-4H8E2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-IM0FE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-TTU3J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-JBLAJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-PP0OR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-OQMOE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7TSFI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-RKO1I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-8G4IN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-A5OSQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7DIKH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-FC05A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-ERBSE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-27N0B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-LR956.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-L3GJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AATAN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-RUAAP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MRM89.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-81GE3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7NK6B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-76J7R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\lib
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\lib\is-23JOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-V0OQK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-K56C1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-47N79.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-9UL4R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-4232T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0PACH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-S6USS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-KITFQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-7UMKO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-INTCK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-MKK0B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-51LG7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-5BN1Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0K952.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-J1VDF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-PL1GR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-EUHVU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-77A2I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-MG740.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-DANGD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-C2D8P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-6QL5T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-48C7L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-HBL1M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-FEKQ6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-2OU3Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-1C906.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-T0LBE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-RE8LQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-4IT51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-AGEPC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-OK78B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-F8B1F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-C9L6B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-BF42V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-HH378.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0PE6T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-VDPOG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-G42GM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-CE1AR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-EE2JR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-G3L07.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-E1KQ9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-JMF9S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-SE4Q2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-TSDM9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-EEKRH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-706F4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-P9BF9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-PKD7D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-7T9K6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-PU1PA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-CKLD9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-U65KB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-VB57V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-MVJR7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-S8NHP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\sys
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\sys\is-N2NHS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-FQ2UK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-4DSRI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-QHAUI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-MUO8O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-0I53U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-GL0L4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-PTQPB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-74NLM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-OSJ7L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\tcc
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\tcc\is-JASML.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-92IBT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-1S69F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-97NTF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-P2U2R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-2RB3V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-GLR8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-93UT7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-MUNGH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-5UQJA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-GCQCF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-H9J2J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-BBNAD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-FJ0FL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-4CQ17.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-1NSDB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-PTTF7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-SIKIP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-AD97Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-ASU18.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-NNHHO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SJKQD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-8HLKV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-PMK62.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-5DOON.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AUJ8A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MUHHF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-DSI7G.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SQBUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-87427.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-EJPQ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-A30LA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-VADJ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-OLBHT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-ERRVD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-L6R39.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-QPVNS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-IGC53.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-IVS6D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-CIE95.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-2CQ46.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-FPKDI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-PGR7M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-EBM2L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-0K02L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-V9D11.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-6LSG2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-BQRFH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-GGMI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-NS6P9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-JFC09.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-QQIJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-J3Q59.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-Q18K1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-2V4D2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-60OMG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-UQL2S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-IPTJ2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-V5KV6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-3GI42.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-E8L5M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RQ2S3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-747JC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-158C0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RU1SE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RPLOS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-VK6QC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images\is-U6823.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images\is-0BI9T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-J71N7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-033OV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-HJUU2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-G334Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-8AE8P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-T3S7T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-4TPRM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-V5CNU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-EAD3D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-Q50JT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-IH2QN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-NCP20.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-B180O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-JRPTO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-VGUUS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-N4PLP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-6JEUL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-SKFQ5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-G7CFT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-LUTQ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-ON5UP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-CNEHS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-UV0PJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-KK89E.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-ESJ6U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-FJD1M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-4M6BM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-645IR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\images
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\images\is-F7D0S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\xml
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\xml\is-VSIQB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs32\is-AQQPT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs64\is-701OU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-397QA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-BGU0I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-5VCS0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-0JUIF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-UD451.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\is-1H9D4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-0OQDO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-TS9A7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-R3SMO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-IVICO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-6LEET.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-UOGUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-J1K98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-OHV06.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-5SV36.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-0AS3A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-SS3Q8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\is-MB3S7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-89BIB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-MKUU5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-3Q8BH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-V7A9J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-A8Q85.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-U1HA7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-K4H2Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-1EM51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-VOMKC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-HB4M8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-06D9S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-DSBVA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-U9FAM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-QFQ4U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-9GQEE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-JAMT5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-BRK2U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-R1OD4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-1DI29.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-FKENA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-Q5JOQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-I51PG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-SJNR4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-VQTQI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-TIQC2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-DAA8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-TD7IO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-1177L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-NBF0F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-PMDDR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-VT36S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\is-RCCJA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-ILHTP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-J74FA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-RN0P9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-OOK6A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-RUQFN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-N4S80.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-MNOFM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-GJETC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-1VL61.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-7HB6K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\Properties
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\Properties\is-CEIJS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-QAU98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-O71KG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-L37DV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-L7LJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-01QEO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-PVGIS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-CUSKP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-17K0H.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-IOO6H.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-LT1SS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-FS25O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-27QGG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-9SETD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-H42I8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-08GVN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-83TT8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-V8UK4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-PPAMP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SNPLC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\unins000.msg
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\server.txt

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.172.112.34:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.172.112.34:443 -> 192.168.2.8:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.162.225.150:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.230.219.225:443 -> 192.168.2.8:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.230.219.225:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.94.94:443 -> 192.168.2.8:49761 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: shlwapi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2118878537.00000000086F4000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173916136.00000000086F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008EED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2163289242.000000000985B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2194997737.00000000099C7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000099C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: glu32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197030680.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 00000019.00000000.1918136023.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 00000019.00000002.1922544985.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000002.3276180421.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000000.1920370235.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173754543.00000000086EC000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreMessaging.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009419000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\lua53-64.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151918393.0000000008F11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2133387170.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XInput1_4.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netutils.pdbbbK source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009572000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\tcc64-32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2163289242.000000000985B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008EED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228662166.0000000007CEE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009419000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000004.00000000.1813402829.000002A3CF932000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: shlwapi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2118878537.00000000086F4000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173916136.00000000086F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2201559902.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2184312242.0000000009AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2220370244.0000000008594000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 00000019.00000000.1918136023.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 00000019.00000002.1922544985.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000002.3276180421.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000000.1920370235.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2148792759.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreMessaging.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2179075086.0000000009800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\tcc64-32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2178434787.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ExplorerFrame.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000098B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086DE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsAtom.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3319865235.0000019B4C9D2000.00000002.00000001.01000000.00000031.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: glu32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197030680.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: opengl32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2139633733.0000000008D4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2116863682.0000000008712000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2227495299.0000000008712000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000004.00000000.1813402829.000002A3CF932000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: WLDP.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2201559902.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsTime.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086DE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2133387170.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2184312242.0000000009AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B99000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2155421442.0000000009B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B99000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2155421442.0000000009B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2201075023.000001FA2F4B2000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: version.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2145426436.0000000008EDB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Do not load external debug symbols like .PDB/.DBG files (Breaks tables that use these symbols) source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\lua53-64.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151918393.0000000008F11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ExplorerFrame.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000098B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228662166.0000000007CEE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: opengl32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\ArchiveUtility\bin\Release\x64\ArchiveUtility.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: hhctrl.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2179075086.0000000009800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2194997737.00000000099C7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000099C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2220370244.0000000008594000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2116863682.0000000008712000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hhctrl.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: added an option to skip loading .PDB files source: CheatEngine75.exe, 0000000C.00000003.1882445843.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.2042781311.0000000002318000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2031697249.0000000003781000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2030897563.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2031073742.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000022D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000001F.00000002.1971316751.00007FF62D7D6000.00000002.00000001.01000000.0000001B.sdmp, Uninstall.exe, 0000001F.00000000.1933226506.00007FF62D7D6000.00000002.00000001.01000000.0000001B.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173754543.00000000086EC000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3282773301.0000019B32872000.00000002.00000001.01000000.00000030.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdbx source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2145426436.0000000008EE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2178434787.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2227495299.0000000008712000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp

Spreading

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F69BF0 FindFirstFileExW,	5_2_00F69BF0
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00404EC1 FindFirstFileW,	6_2_00404EC1
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	7_2_00405A19
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_004065CE FindFirstFileA,FindClose,	7_2_004065CE
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_004027AA FindFirstFileA,	7_2_004027AA
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7CCA9C FindFirstFileExW,	31_2_00007FF62D7CCA9C
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00417980 CreateFileW,DeviceIoControl,FindFirstFileExW,FindClose,SetLastError,SetLastError,	38_2_00417980
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00417E10 FindFirstFileExW,FindClose,	38_2_00417E10

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-H908U.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 49.3.Stub.exe.2eb9f48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2eb9f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ea9f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\WeatherZero\WeatherZero.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1Host: shield.reasonsecurity.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: track.analytics-data.ioContent-Length: 1932Expect: 100-continueConnection: Close
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: track.analytics-data.ioContent-Length: 1907Expect: 100-continueConnection: Close
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: track.analytics-data.ioContent-Length: 1951Expect: 100-continueConnection: Close
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: track.analytics-data.ioContent-Length: 1932Expect: 100-continueConnection: Close

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 125Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 276Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 352Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 339Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 344Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 334Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 353Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 355Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 343Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325fUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 298Host: d3cored83b0wp2.cloudfront.net

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 25_2_00007FF7824DFAA0 URLDownloadToFileA,

25_2_00007FF7824DFAA0

Source: global traffic	HTTP traffic detected: GET /f/RAV_Triple_NCB/images/DOTPS-855/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WebAdvisor/images/943/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/images/969/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /rsStubActivator.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: shield.reasonsecurity.com
Source: global traffic	HTTP traffic detected: GET /f/WebAdvisor/files/1489/saBSI.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.1.2Host: d3cored83b0wp2.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1Host: shield.reasonsecurity.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cesharelist.txt HTTP/1.1User-Agent: Cheat Engine 7.5 : luascript-ceshareHost: cheatengine.org
Source: global traffic	HTTP traffic detected: GET /latestversion.txt HTTP/1.1User-Agent: Cheat Engine 7.5 : luascript-CEVersionCheckHost: cheatengine.org

Source: global traffic	DNS traffic detected: DNS query: d3cored83b0wp2.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: shield.reasonsecurity.com
Source: global traffic	DNS traffic detected: DNS query: analytics.apis.mcafee.com
Source: global traffic	DNS traffic detected: DNS query: sadownload.mcafee.com
Source: global traffic	DNS traffic detected: DNS query: localweatherfree.com
Source: global traffic	DNS traffic detected: DNS query: track.analytics-data.io
Source: global traffic	DNS traffic detected: DNS query: cheatengine.org

Source: unknown

HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 125Host: d3cored83b0wp2.cloudfront.net

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457680068.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458319074.0000000005895000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2462765751.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2461624703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2454019553.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463671905.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458534556.000000000559A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455216703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457680068.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2462765751.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2461624703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2454019553.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455216703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxQ
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/ns#
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A74000.00000004.00000020.00020000.00000000.sdmp, prod0.exe, 00000004.00000002.3288281066.000002A3E9F1D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442974006.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1893145095.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998636294.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3317370961.0000019B4C8BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.0000000003206000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457680068.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458319074.0000000005895000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2462765751.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2461624703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2454019553.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463671905.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458534556.000000000559A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455216703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: saBSI.exe, 00000005.00000003.2571419970.00000000054D2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2585696686.00000000054D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: saBSI.exe, 00000005.00000002.2585659818.00000000054C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eng
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D18F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d14mh4uvqj4iiz.cloudfront.net
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ns/office/1.2/meta/odf#ContentFile
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ns/office/1.2/meta/odf#StylesFile
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ns/office/1.2/meta/pkg#
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ns/office/1.2/meta/pkg#Document
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://forum.cheatengine.org/
Source: WZSetup.exe, WZSetup.exe, 00000007.00000000.1865545320.000000000040A000.00000008.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000002.1995533666.000000000040A000.00000004.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000003.1994147598.0000000002841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: WZSetup.exe, 00000007.00000000.1865545320.000000000040A000.00000008.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000002.1995533666.000000000040A000.00000004.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000003.1994147598.0000000002841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457680068.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2462765751.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2461624703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2454019553.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455216703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457680068.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458319074.0000000005895000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2462765751.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2461624703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2454019553.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463671905.0000000005599000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2458534556.000000000559A000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455216703.0000000005599000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.0000000003206000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.glob
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.0000000003206000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D18F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://shield.reasonsecurity.com
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wiki.lazarus.freepascal.org/fpvectorial)
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://www.cheatengine.org/?referredby=CE%.2f
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://www.cheatengine.org/ceads.php
Source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2202510954.000001FA2F534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1402834501.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.00000000021D8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D86000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mcafee.com
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2585659818.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571419970.00000000054D2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2585696686.00000000054D2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571419970.00000000054D2000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2585696686.00000000054D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com/mosaic/2.0/product-web/am/v1/recordl
Source: saBSI.exe, 00000005.00000002.2585735618.00000000054F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/record
Source: saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordps://sadownload.mcafee.com/
Source: saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordtribution
Source: saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.qa.apis.mcafee.comx
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_suppo
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://beta.reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://cheatengine.org/
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2133387170.0000000007CE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cheatengine.org/cesharelist.txt0
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://cheatengine.org/dbkerror.php
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://cheatengine.org/dbkerror.phpopen
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cheatengine.org/e-4e5c-ae1f-9bc86c8e8c94T
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://cheatengine.org/microtransaction.php?action=buy&amount=
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cheatengine.org/tutorial.php?tutorial=
Source: CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cheatengine.org/tutorial.php?tutorial=open
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cu1pehnswad01.servicebus.windows.net/wadp32h02/messages?timeout=60&api-version=2014-01p
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/5
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/?
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/e
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1402834501.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.000000000223E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002DA9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1402834501.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.000000000223E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006CC0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/CheatEngine/1032/CheatEngine75.exe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png9SP3pRw0yVFKRoA4O6H4
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngM
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngll
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002404000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip2yhVX
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip5vT
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2124115026.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150822703.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463662036.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.png
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2455203792.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pnga
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngc
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzipam
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip.png
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip5f
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipp
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipxe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2124115026.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EA3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150822703.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463662036.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.png
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.png5
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2455203792.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngD
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngc
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2124115026.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150822703.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463662036.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pnge
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngipe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngipera_
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1402834501.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.000000000223E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002DED000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/o
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1402834501.0000000002530000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.000000000223E000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2476998019.000000000B540000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002DED000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/zbd
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2476998019.000000000B540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/zbd=u
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net/zbdt
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2476998019.000000000B540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d3cored83b0wp2.cloudfront.net:443/zbd
Source: UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://electron-shell.reasonsecurity.com/v
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eula
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000000.1401972062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, CheatEngine75.exe, 0000000C.00000000.1878862598.000000000040E000.00000020.00000001.01000000.00000016.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998636294.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1994867793.000000000075E000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998170408.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/
Source: WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/E
Source: WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1995145479.0000000000785000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1995533666.0000000000439000.00000004.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000002.1997948492.0000000000708000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998170408.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecast
Source: WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecast32
Source: WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998636294.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecast4
Source: WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastA
Source: WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastLnCZyJIT3VIHOjglwhzNosGx/9V1OxmW
Source: WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastX
Source: WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastdT
Source: WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastgT
Source: WZSetup.exe, 00000007.00000002.1995533666.0000000000439000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: https://localweatherfree.com/forecastlocation=5OhVky%2B4V0XPkJ6rjUuB0R4ELexthS%2BA2%2F7JDmd%2BDJstFI
Source: WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastp&
Source: WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998636294.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastpp
Source: WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastt&
Source: WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecasttJ
Source: WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://localweatherfree.com/forecastz
Source: UnifiedStub-installer.exe, 0000002D.00000002.2201075023.000001FA2F4B2000.00000002.00000001.01000000.0000002B.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logziop.reasonsecurity.com
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/?utm_source=safer_web_uninstall_home&utm_medium=website_link&ruserid=
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_support&ru
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/contact-us?prod=3&utm_source=safer_web_uninstall_home&utm_medium=contact_supp
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/privacy-policy?utm_source=rav_antivirus_installer
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/platform/products/rav/terms?utm_source=rav_antivirus_installer
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesiveEventeatherZero/images/969/EN.pngzipam
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesiveEventfe7a788e10f08e18ca857b7883846325f
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004F10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150169474.0000000004F10000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2089750771.0000000004F5C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464980416.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsSt
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesq
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesr
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesrivacy-policy88e10f08e18ca857b7883846325fInstaller_IC201102_ISV.zip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesrivacy-policyisor/files/1489/saBSI.zip
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com?utm_source=vpn_uninstall&utm_medium=home_website_link&ruserid=
Source: saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/
Source: saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/6
Source: saBSI.exe, 00000005.00000003.1895689100.000000000320D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/Z0
Source: saBSI.exe, 00000005.00000003.1895689100.000000000320D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/l
Source: saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/n
Source: saBSI.exe, 00000005.00000003.1894003745.000000000320F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/o
Source: saBSI.exe	String found in binary or memory: https://sadownload.mcafee.com/products/SA/
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/3.7.2/update_bsi_product.xml/
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2585659818.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1894433107.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml
Source: saBSI.exe, 00000005.00000003.1895622893.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/
Source: saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlB
Source: saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml/
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.000000000320E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml/
Source: saBSI.exe, saBSI.exe, 00000005.00000003.2442974006.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_main.xml
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/BSI/bsi_vars.xml/
Source: saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/UPDATER_VERSIONaffidosplatSELF_UPDATE_ALLOWEDMAIN_XMLSTORE
Source: saBSI.exe, saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.json
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsonRE=x86
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/Win/xpi/webadvisor/update.jsoniveOS=
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi
Source: saBSI.exe, 00000005.00000003.1975165861.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/
Source: saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml
Source: saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xml/
Source: saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/4.1.1/install.xmlnload.mcafee.com
Source: saBSI.exe, 00000005.00000003.2442974006.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2443385585.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/bsi/binary
Source: saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975037735.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/914/
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/914/64/installer.exe
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975037735.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/pc/partner_custom_bsi.xml
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2586262929.0000000005815000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975037735.000000000320C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/SA/v1/update/post_install.xml
Source: saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary
Source: saBSI.exe, 00000005.00000003.1975165861.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/bsi/win/binary/
Source: saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.0000000005530000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975923382.000000000551B000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985305677.0000000005530000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa/v1/pc/partner_custom_vars.xml
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/sa1k
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saLocal
Source: saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://sadownload.mcafee.com/products/saUPDATER_URLupdater.exeWebAdvisor_Updaterheron_hostthreat.ap
Source: saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sadownload.mcafee.com/x
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D18DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/
Source: prod0.exe, 00000004.00000000.1813402829.000002A3CF932000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/7ReasonLabs-Setup-Wizard.exe
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-Setup-Wizard.exe
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D18DC000.00000004.00000800.00020000.00000000.sdmp, prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464257647.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463458065.0000000004E70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D68000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeages/969/EN.pngzip
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exee18ca857b7883846325f
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip
Source: prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com:443/ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io
Source: UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://track.analytics-data.io/X
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/live
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update-beta.reasonsecurity.com/v2/update
Source: rsSyncSvc.exe, 00000019.00000002.1921438935.0000019D7C686000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonse.com/v
Source: rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B0000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B7000.00000004.00000020.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live
Source: rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-bn:ReasonLabs-dt:10&
Source: rsSyncSvc.exe, 00000019.00000002.1921438935.0000019D7C68C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/live-dt:10
Source: rsSyncSvc.exe, 00000019.00000002.1921438935.0000019D7C68C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/liveING=D
Source: rsSyncSvc.exe, 00000019.00000002.1921438935.0000019D7C68C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livelive
Source: rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/livelivell
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://update.reasonsecurity.com/v2/update
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacy
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacyE
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/termsP
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/termsX
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://wiki.cheatengine.org/index.php
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/license/Z
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.360totalsecurity.com/en/privacy/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.c
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2460450691.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula#pc
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-productsC
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2460450691.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy#pc
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eulaM
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacyj
Source: CheatEngine75.exe, 0000000C.00000003.2042781311.00000000023A1000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000023B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/
Source: CheatEngine75.exe, 0000000C.00000003.1882445843.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/8https://www.cheatengine.org/8https://www.cheatengine.org/
Source: CheatEngine75.exe, 0000000C.00000003.2042781311.00000000023A1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/A
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000023B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/Q
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.0000000002350000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D52000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150822703.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1411738649.0000000002C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/privacy.htm
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2454656622.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/privacy.htmd
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.forbes.com/sites/forbestechcouncil/2022/07/13/why-do-hacks-happen-four-ubiquitous-motiva
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1843760686.0000000004F3B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2451374947.000000000018E000.00000004.00000010.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2456590494.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2463495772.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2440483421.00000000055CC000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441980925.0000000003206000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2457230909.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2455020674.00000000057D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FE24000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002628000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000002.2039167823.000000000018F000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1405939759.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1407943952.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000000.1409808513.0000000000401000.00000020.00000001.01000000.00000004.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000000.1892916012.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D27000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A27000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2455203792.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/legal.html
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D27000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2453900113.00000000009D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlD
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlfE
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlmages/DOTPS-855/EN.png
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.html
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlL
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlW
Source: saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/v/wa-how.htmlf
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/G
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/-
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://www.patreon.com/cheatengine
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://www.patreon.com/cheatengineopenhttps://cheatengine.org/http://forum.cheatengine.org/
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006CB9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D36000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1::
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D6F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/pr
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D36000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2163484819.000000000241B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A55000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy:J
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2090140344.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy:xQ
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/privacy-policy?utm_source=reason_safer_web_installer
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/safer-web/terms?utm_source=reason_safer_web_installer
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/privacy-policy?utm_source=reason_vpn_installer
Source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reasonsecurity.com/vpn/terms?utm_source=reason_vpn_installer
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1405939759.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1407943952.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000000.1409808513.0000000000401000.00000020.00000001.01000000.00000004.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000000.1892916012.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/eula.html
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.html
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.winzip.com/win/en/privacy.htmlc

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.172.112.34:443 -> 192.168.2.8:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.172.112.34:443 -> 192.168.2.8:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.162.225.150:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.230.219.225:443 -> 192.168.2.8:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.230.219.225:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.173.206.112:443 -> 192.168.2.8:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.94.94:443 -> 192.168.2.8:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

Code function: 7_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_004054B6

Installs a raw input device (often for capturing keystrokes)

Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2227248249.0000000008574000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_30c0b96c-2

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: cheatengine-x86_64-SSE4-AVX2.exe PID: 4256, type: MEMORYSTR

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

System Summary

Submitted sample is a known malware sample

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

Dropped file: MD5: e346fcecd037f0be2777231949977587 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00EE6220: GetCurrentProcessId,GetCurrentThreadId,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,DeviceIoControl,DeviceIoControl,

5_2_00EE6220

Contains functionality to delete services

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 25_2_00007FF7824D4BB0 RegCreateKeyExW,RegCloseKey,OutputDebugStringW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

25_2_00007FF7824D4BB0

Contains functionality to launch a process as a different user

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 25_2_00007FF7824FE4D0 WTSGetActiveConsoleSessionId,ProcessIdToSessionId,OpenProcess,OpenProcessToken,CloseHandle,GetLastError,DuplicateTokenEx,CloseHandle,CreateProcessAsUserW,CloseHandle,WaitForSingleObject,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

25_2_00007FF7824FE4D0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

Code function: 7_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

7_2_004033B3

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2BA610	4_2_00007FFB4B2BA610
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B0E40	4_2_00007FFB4B2B0E40
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2BD4D1	4_2_00007FFB4B2BD4D1
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B94ED	4_2_00007FFB4B2B94ED
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2BD7A9	4_2_00007FFB4B2BD7A9
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556F666	5_3_0556F666
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556E402	5_3_0556E402
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556E322	5_3_0556E322
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_055729D6	5_3_055729D6
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556CCD2	5_3_0556CCD2
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE8FB0	5_2_00EE8FB0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE4F50	5_2_00EE4F50
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE5110	5_2_00EE5110
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1D540	5_2_00F1D540
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F21840	5_2_00F21840
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EE70D9	5_2_00EE70D9
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EEF110	5_2_00EEF110
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F073B0	5_2_00F073B0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F03AC0	5_2_00F03AC0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1FFE0	5_2_00F1FFE0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F18190	5_2_00F18190
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F6C110	5_2_00F6C110
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F283A0	5_2_00F283A0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F30660	5_2_00F30660
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F68609	5_2_00F68609
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F247C0	5_2_00F247C0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F70992	5_2_00F70992
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F50919	5_2_00F50919
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F70AB2	5_2_00F70AB2
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F50B4B	5_2_00F50B4B
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F50DB0	5_2_00F50DB0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EF8EA0	5_2_00EF8EA0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00ECCF40	5_2_00ECCF40
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F0D2C0	5_2_00F0D2C0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F5933A	5_2_00F5933A
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F614AF	5_2_00F614AF
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EC5400	5_2_00EC5400
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F6D8E0	5_2_00F6D8E0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1A540	5_2_00F1A540
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00ECA610	5_2_00ECA610
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F768E0	5_2_00F768E0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F228A0	5_2_00F228A0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EC2B00	5_2_00EC2B00
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F4ADD0	5_2_00F4ADD0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F26D43	5_2_00F26D43
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F1F150	5_2_00F1F150
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F5B340	5_2_00F5B340
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F2B4F0	5_2_00F2B4F0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F27602	5_2_00F27602
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00ECF830	5_2_00ECF830
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F539A4	5_2_00F539A4
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F23A30	5_2_00F23A30
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EFFB40	5_2_00EFFB40
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EEBCB0	5_2_00EEBCB0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EF3C50	5_2_00EF3C50
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00EC7D10	5_2_00EC7D10
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_0040CDD5	6_2_0040CDD5
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00418810	6_2_00418810
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_004030CF	6_2_004030CF
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00411129	6_2_00411129
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00414B30	6_2_00414B30
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00417420	6_2_00417420
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_004144D0	6_2_004144D0
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00419D01	6_2_00419D01
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00419DDB	6_2_00419DDB
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00416E09	6_2_00416E09
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_0040727F	7_2_0040727F
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_00406AA8	7_2_00406AA8
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Code function: 11_2_00007FFB4B2B18F5	11_2_00007FFB4B2B18F5
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824D4BB0	25_2_00007FF7824D4BB0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824D71C0	25_2_00007FF7824D71C0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782539B94	25_2_00007FF782539B94
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253CB70	25_2_00007FF78253CB70
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824E7B30	25_2_00007FF7824E7B30
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253C334	25_2_00007FF78253C334
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253A3B4	25_2_00007FF78253A3B4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78252E430	25_2_00007FF78252E430
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824FE4D0	25_2_00007FF7824FE4D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253B4A0	25_2_00007FF78253B4A0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78254D18C	25_2_00007FF78254D18C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78255F188	25_2_00007FF78255F188
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782502960	25_2_00007FF782502960
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782539990	25_2_00007FF782539990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824FC990	25_2_00007FF7824FC990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824F5990	25_2_00007FF7824F5990
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824F4140	25_2_00007FF7824F4140
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782546934	25_2_00007FF782546934
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78255D1EC	25_2_00007FF78255D1EC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7825511E8	25_2_00007FF7825511E8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824E89D0	25_2_00007FF7824E89D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253A1B0	25_2_00007FF78253A1B0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824D92F0	25_2_00007FF7824D92F0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782546314	25_2_00007FF782546314
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782506AD0	25_2_00007FF782506AD0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782549F80	25_2_00007FF782549F80
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253C76C	25_2_00007FF78253C76C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782546180	25_2_00007FF782546180
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78254AFBC	25_2_00007FF78254AFBC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782539FA4	25_2_00007FF782539FA4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824DA080	25_2_00007FF7824DA080
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782551868	25_2_00007FF782551868
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782552870	25_2_00007FF782552870
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782556850	25_2_00007FF782556850
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78254E024	25_2_00007FF78254E024
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253B824	25_2_00007FF78253B824
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253B108	25_2_00007FF78253B108
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7825440B0	25_2_00007FF7825440B0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782550D54	25_2_00007FF782550D54
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824DB5E0	25_2_00007FF7824DB5E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7825565D4	25_2_00007FF7825565D4
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782539DA0	25_2_00007FF782539DA0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824E3660	25_2_00007FF7824E3660
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF7824DF6E0	25_2_00007FF7824DF6E0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78255F6D4	25_2_00007FF78255F6D4
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7C1330	31_2_00007FF62D7C1330
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7CCA9C	31_2_00007FF62D7CCA9C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7CB594	31_2_00007FF62D7CB594
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7D3FF8	31_2_00007FF62D7D3FF8
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_010A150E	33_2_010A150E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01095560	33_2_01095560
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_010015B0	33_2_010015B0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_010015B5	33_2_010015B5
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_0109C9E8	33_2_0109C9E8
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01002810	33_2_01002810
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_0109101F	33_2_0109101F
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_0109F05B	33_2_0109F05B
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01001860	33_2_01001860
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01001F60	33_2_01001F60
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01002FB0	33_2_01002FB0
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_010A13EE	33_2_010A13EE
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01003690	33_2_01003690
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00401A30	38_2_00401A30
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00411500	38_2_00411500
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00405640	38_2_00405640
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00404660	38_2_00404660
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00413760	38_2_00413760
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00412700	38_2_00412700
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00404C70	38_2_00404C70
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: 39_2_00409AF0	39_2_00409AF0
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: 39_2_0041DDE0	39_2_0041DDE0
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Code function: 45_2_00007FFB4B2D18F5	45_2_00007FFB4B2D18F5
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_0042C740	46_2_0042C740
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004240F0	46_2_004240F0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00404160	46_2_00404160
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004282F0	46_2_004282F0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004253E0	46_2_004253E0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004274F0	46_2_004274F0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00422535	46_2_00422535
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_0042B690	46_2_0042B690
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_0043B840	46_2_0043B840
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004238B0	46_2_004238B0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00402A20	46_2_00402A20
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00403B50	46_2_00403B50
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00402B00	46_2_00402B00
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00404B30	46_2_00404B30
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_0043AF20	46_2_0043AF20

Enables driver privileges

Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF7824D3810 appears 34 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF7824EE250 appears 58 times
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: String function: 00007FF7824D1DB0 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: String function: 004031E3 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: String function: 004197D0 appears 120 times
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: String function: 00401490 appears 35 times
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: String function: 004036A0 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F48E31 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F49600 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F08650 appears 192 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F485BF appears 56 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F48713 appears 374 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F48375 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00ED1BE0 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F48DFE appears 103 times
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: String function: 00F64231 appears 31 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: installer.exe.5.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 28277285 bytes, 132 files, at 0x2c +A "analyticsmanager.cab" +A "analyticstelemetry.cab", number 1, 993 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.2478930076.0000000002298000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1405939759.0000000002670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1407943952.000000007FB70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000000.1402396274.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

query blbeacon for getting browser version

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version

Jump to behavior

Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	Cryptographic APIs: 'CreateDecryptor'

Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.0000000002344000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI.sln
Source: icacls.exe, 00000029.00000003.2021718540.0000028AD3375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: example-c.sln`
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.0000000002344000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector.sln
Source: icacls.exe, 00000029.00000003.2019412948.0000028AD3386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *MonoDataCollector.sln
Source: icacls.exe, 00000029.00000003.2021372247.0000028AD337E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,CEPluginLibrary.csproj`\
Source: CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Z{app}\plugins\c# template\CEPluginLibrary.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000022C2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 1{app}\autorun\dlls\src\Mono\MonoDataCollector.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.000000000238D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %{app}\plugins\example-c\example-c.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.0000000002352000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Cheat Engine 7.5\plugins\example-c\example-c.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.000000000228F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\CEPluginLibrary.csproj
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.000000000232D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: -{app}\plugins\c# template\CEPluginLibrary.sln!
Source: CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ^{app}\autorun\dlls\src\Java\CEJVMTI\CEJVMTI.sln
Source: CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: J{app}\plugins\example-c\example-c.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.0000000002344000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary.sln
Source: CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {app}\plugins\c# template\CEPluginLibrary\CEPluginLibrary.csproj
Source: CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: b{app}\autorun\dlls\src\Mono\MonoDataCollector.sln
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.000000000232D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: /{app}\autorun\dlls\src\Java\CEJVMTI\CEJVMTI.slnq
Source: CheatEngine75.tmp, 0000000D.00000003.2035583319.000000000231C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @{app}\plugins\c# template\CEPluginLibrary\CEPluginLibrary.csproj
Source: icacls.exe, 00000029.00000003.2018899124.0000028AD338E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CEJVMTI.sln

Source: classification engine

Classification label: mal46.troj.spyw.evad.winEXE@72/800@11/6

Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Code function: 38_2_0040E500 GetLastError,FormatMessageW,

38_2_0040E500

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

7_2_004033B3

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

Code function: 7_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

7_2_00404766

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: OutputDebugStringW,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,RegisterServiceCtrlHandlerExW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,CreateEventW,OutputDebugStringW,GetLastError,SetServiceStatus,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,WaitForSingleObject,OutputDebugStringW,OutputDebugStringW,CloseHandle,SetServiceStatus,OutputDebugStringW,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,OutputDebugStringW,OutputDebugStringW,SetServiceStatus,OutputDebugStringW,SetEvent,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

25_2_00007FF7824D71C0

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00ED4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

5_2_00ED4C8E

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00ED5C1E CoCreateInstance,OleRun,

5_2_00ED5C1E

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00EF5318 GetModuleHandleW,FindResourceW,LoadResource,LockResource,std::ios_base::_Ios_base_dtor,GetModuleHandleW,GetProcAddress,GetCurrentProcess,Concurrency::cancel_current_task,Concurrency::cancel_current_task,SysFreeString,SysFreeString,

5_2_00EF5318

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

25_2_00007FF7824D4BB0

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

25_2_00007FF7824D4BB0

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

File created: C:\Program Files (x86)\WeatherZero

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{6F44C754-77E7-4687-80D4-B48E574DF023}Installer
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{48ca68e-e4ff-43ac-a993-6d162f33de7c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

File created: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%fdhgeoginicibhagdmblfikbgbkahibd%'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - Root\CIMV2 : Select * from Win32_Process where name='browserhost.exe' and SessionId=1 and commandline like '%{4ED1F68A-5463-4931-9384-8FFF5ED91D92}%'

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: create table modules(ptrid integer not null, moduleid integer not null, name char(256) not null, primary key (ptrid, moduleid) );
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE pointerfiles (`ptrid`INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`name`char(256) NOT NULL,`maxlevel`INTEGER,`compressedptr`INTEGER,`unalligned`INTEGER,`MaxBitCountModuleIndex`INTEGER,`MaxBitCountModuleOffset`INTEGER,`MaxBitCountLevel`INTEGER,`MaxBitCountOffset`INTEGER,`DidBaseRangeScan`INTEGER,`BaseScanRange`INTEGER);
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE pointerfiles_endwithoffsetlist ( `ptrid`INTEGER NOT NULL, `offsetnr`INTEGER NOT NULL, `offsetvalue`INTEGER NOT NULL, PRIMARY KEY(ptrid,offsetnr));

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp "C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp" /SL5="$20462,29086952,780800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe "C:\Users\user\AppData\Local\Temp\3yq4abxg.exe" /silent
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Process created: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp "C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp" /SL5="$901D6,26511452,832512,C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\net.exe "net" stop BadlionAntic
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAntic
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\net.exe "net" stop BadlionAnticheat
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAnticheat
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\sc.exe "sc" delete BadlionAntic
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\sc.exe "sc" delete BadlionAnticheat
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp helper 105 0x44C
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\icacls.exe "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
Source: unknown	Process created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe "C:\Program Files\ReasonLabs\EPP\Uninstall.exe" /auto-repair=UnifiedStub
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe"
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\icacls.exe "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Process created: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp "C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp" /SL5="$20462,29086952,780800,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe "C:\Users\user\AppData\Local\Temp\3yq4abxg.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe "C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" start silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Process created: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp "C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp" /SL5="$901D6,26511452,832512,C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\net.exe "net" stop BadlionAntic
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\net.exe "net" stop BadlionAnticheat
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\sc.exe "sc" delete BadlionAntic
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\sc.exe "sc" delete BadlionAnticheat
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp helper 105 0x44C
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\icacls.exe "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Windows\System32\icacls.exe "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAntic
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAnticheat
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Process created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe "C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe .\UnifiedStub-installer.exe /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Process created: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: version.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: urlmon.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: powrprof.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: iertutil.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: srvcli.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: netutils.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: umpdc.dll
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: wldp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: apphelp.dll
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: wldp.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: propsys.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: profapi.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: edputil.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: netutils.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: appresolver.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: slc.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: userenv.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: sppc.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: version.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: opengl32.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: wsock32.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: winmm.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: lua53-64.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: wininet.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: glu32.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: msimg32.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: tcc64-32.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: tcc64-64.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: wldp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: propsys.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: textshaping.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: xinput1_4.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: devobj.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: inputhost.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: profapi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: netutils.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: schannel.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Section loaded: duser.dll

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Automated click: Next
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Automated click: OK

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window detected: Number of UI elements: 24
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window detected: Number of UI elements: 39

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Directory created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-1U45L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-KLETU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MV96K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-1HAUB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-04JI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-R767B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-APHCK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-UJMF9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-OUQ5Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-OH84O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-F9V6M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-A3GKJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-356FE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win32\is-7KKVU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\win64\is-HNC5I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SBH22.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-VP6HP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AJB6K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-4H8E2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-IM0FE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-TTU3J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-JBLAJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-PP0OR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-OQMOE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7TSFI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-RKO1I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-8G4IN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-A5OSQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7DIKH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-FC05A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-ERBSE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-27N0B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-LR956.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-L3GJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AATAN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-RUAAP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MRM89.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-81GE3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-7NK6B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-76J7R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\lib
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\lib\is-23JOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-V0OQK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-K56C1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\tcclib\is-47N79.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-9UL4R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-4232T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0PACH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-S6USS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-KITFQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-7UMKO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-INTCK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-MKK0B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-51LG7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-5BN1Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0K952.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-J1VDF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-PL1GR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-EUHVU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-77A2I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-MG740.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-DANGD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-C2D8P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-6QL5T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-48C7L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-HBL1M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-FEKQ6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-2OU3Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-1C906.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-T0LBE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-RE8LQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-4IT51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-AGEPC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-OK78B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-F8B1F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-C9L6B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-BF42V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-HH378.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-0PE6T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-VDPOG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-G42GM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-CE1AR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-EE2JR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-G3L07.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-E1KQ9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-JMF9S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\is-SE4Q2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-TSDM9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-EEKRH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-706F4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-P9BF9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-PKD7D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-7T9K6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-PU1PA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-CKLD9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-U65KB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-VB57V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-MVJR7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\is-S8NHP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\sys
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sec_api\sys\is-N2NHS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-FQ2UK.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-4DSRI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-QHAUI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-MUO8O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-0I53U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-GL0L4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-PTQPB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-74NLM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\sys\is-OSJ7L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\tcc
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\tcc\is-JASML.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-92IBT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-1S69F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-97NTF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-P2U2R.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-2RB3V.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-GLR8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-93UT7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-MUNGH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-5UQJA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-GCQCF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-H9J2J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-BBNAD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-FJ0FL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-4CQ17.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-1NSDB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-PTTF7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-SIKIP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\include\winapi\is-AD97Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-ASU18.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-NNHHO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SJKQD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-8HLKV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-PMK62.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-5DOON.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-AUJ8A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-MUHHF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-DSI7G.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SQBUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-87427.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-EJPQ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-A30LA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-VADJ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-OLBHT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-ERRVD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-L6R39.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-QPVNS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-IGC53.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-IVS6D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-CIE95.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-2CQ46.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-FPKDI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-PGR7M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\languages\is-EBM2L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-0K02L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-V9D11.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-6LSG2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-BQRFH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-GGMI4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-NS6P9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-JFC09.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-QQIJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-J3Q59.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-Q18K1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-2V4D2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-60OMG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-UQL2S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-IPTJ2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-V5KV6.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-3GI42.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-E8L5M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RQ2S3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-747JC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-158C0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RU1SE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-RPLOS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-VK6QC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images\is-U6823.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\images\is-0BI9T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-J71N7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-033OV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-HJUU2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-G334Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-8AE8P.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-T3S7T.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-4TPRM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-V5CNU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-EAD3D.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-Q50JT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\forms\is-IH2QN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-NCP20.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-B180O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\is-JRPTO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-VGUUS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-N4PLP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-6JEUL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-SKFQ5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-G7CFT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-LUTQ1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-ON5UP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-CNEHS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-UV0PJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-KK89E.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-ESJ6U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-FJD1M.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-4M6BM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-645IR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\images
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\images\is-F7D0S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\xml
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\xml\is-VSIQB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs32\is-AQQPT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\clibs64\is-701OU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-397QA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-BGU0I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-5VCS0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-0JUIF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-UD451.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\is-1H9D4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-0OQDO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-TS9A7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-R3SMO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-IVICO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-6LEET.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-UOGUT.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-J1K98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-OHV06.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-5SV36.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-0AS3A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-SS3Q8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\is-MB3S7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-89BIB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-MKUU5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-3Q8BH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-V7A9J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-A8Q85.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-U1HA7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-K4H2Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-1EM51.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-VOMKC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-HB4M8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-06D9S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-DSBVA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-U9FAM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-QFQ4U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-9GQEE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-JAMT5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-BRK2U.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-R1OD4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-1DI29.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-FKENA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-Q5JOQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-I51PG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\is-SJNR4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-VQTQI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-TIQC2.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-DAA8Q.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-TD7IO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-1177L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-NBF0F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-PMDDR.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-VT36S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\is-RCCJA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-ILHTP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-J74FA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-RN0P9.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-OOK6A.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-RUQFN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-N4S80.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-MNOFM.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-GJETC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-1VL61.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-7HB6K.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\Properties
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\Properties\is-CEIJS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-QAU98.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-O71KG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-L37DV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-L7LJI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-01QEO.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-PVGIS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-CUSKP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-17K0H.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-IOO6H.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-LT1SS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-FS25O.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-27QGG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-9SETD.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-H42I8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-08GVN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-83TT8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-V8UK4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\badassets\is-PPAMP.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\is-SNPLC.tmp
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Directory created: C:\Program Files\Cheat Engine 7.5\unins000.msg
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Directory created: C:\Program Files\Cheat Engine 7.5\autorun\ceshare\server.txt

Creates a software uninstall entry

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ReasonLabs-EPP

PE / OLE file has a valid certificate

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static file information: File size 29977368 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: shlwapi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2118878537.00000000086F4000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173916136.00000000086F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008EED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2163289242.000000000985B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2194997737.00000000099C7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000099C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: glu32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197030680.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb< source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 00000019.00000000.1918136023.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 00000019.00000002.1922544985.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000002.3276180421.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000000.1920370235.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173754543.00000000086EC000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreMessaging.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009419000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdbSHA256 source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\lua53-64.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151918393.0000000008F11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2133387170.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XInput1_4.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netutils.pdbbbK source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009572000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\tcc64-32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CLBCatQ.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2163289242.000000000985B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntmarta.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsDatabase.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008EED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228662166.0000000007CEE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winnsi.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.0000000009419000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb$1>1 01_CorExeMainmscoree.dll source: prod0.exe, 00000004.00000000.1813402829.000002A3CF932000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\ebAdvisor_WABinary_release_4.1.1\build\Win32\Release\SaBsi.pdb source: saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: shlwapi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2118878537.00000000086F4000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173916136.00000000086F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2201559902.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb@ source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2184312242.0000000009AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net452\Microsoft.Win32.TaskScheduler.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2220370244.0000000008594000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsSyncSvc\rsSyncSvc\x64\Release\rsSyncSvc.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, rsSyncSvc.exe, 00000019.00000000.1918136023.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 00000019.00000002.1922544985.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000002.3276180421.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, rsSyncSvc.exe, 0000001E.00000000.1920370235.00007FF782567000.00000002.00000001.01000000.0000001A.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2148792759.0000000007CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreMessaging.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009BC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2179075086.0000000009800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\tcc64-32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2174085824.0000000009911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2178434787.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ExplorerFrame.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000098B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086DE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsAtom.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3319865235.0000019B4C9D2000.00000002.00000001.01000000.00000031.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: glu32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197030680.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008F0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: opengl32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2222821125.00000000093F6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comdlg32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2139633733.0000000008D4A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2116863682.0000000008712000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2227495299.0000000008712000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStubActivator\rsStubActivator\rsStubActivator\obj\Release\net462\rsStubActivator.pdb source: prod0.exe, 00000004.00000000.1813402829.000002A3CF932000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: WLDP.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2201559902.0000000009A5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsTime.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086DE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2133387170.0000000007CF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: propsys.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2184312242.0000000009AB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B99000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2155421442.0000000009B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msctf.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228947878.0000000009B99000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2155421442.0000000009B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubLib\obj\Release\rsStubLib.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2201075023.000001FA2F4B2000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: version.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2145426436.0000000008EDB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Do not load external debug symbols like .PDB/.DBG files (Breaks tables that use these symbols) source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\git\cheat-engine\Cheat Engine\bin\lua53-64.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151918393.0000000008F11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ExplorerFrame.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000098B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2228662166.0000000007CEE000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: opengl32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2137865690.0000000008EF9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\ArchiveUtility\bin\Release\x64\ArchiveUtility.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\UnifiedStub\obj\Release\UnifiedStub.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: hhctrl.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2179075086.0000000009800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2194997737.00000000099C7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2197941230.00000000099C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2220370244.0000000008594000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2116863682.0000000008712000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hhctrl.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: added an option to skip loading .PDB files source: CheatEngine75.exe, 0000000C.00000003.1882445843.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.2042781311.0000000002318000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2031697249.0000000003781000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2030897563.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2031073742.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.1898011309.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000022D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ole32.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2112822903.00000000086D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\rsStub\rsStub\rsStubRunner\rsStubRunner\bin\Release\x64\rsStubRunner.pdb source: 3yq4abxg.exe, 00000006.00000003.1871952838.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1871604014.0000000002A40000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.000000000326D000.00000004.00001000.00020000.00000000.sdmp, 3yq4abxg.exe, 00000006.00000003.1872499187.00000000032AE000.00000004.00001000.00020000.00000000.sdmp, Uninstall.exe, 0000001F.00000002.1971316751.00007FF62D7D6000.00000002.00000001.01000000.0000001B.sdmp, Uninstall.exe, 0000001F.00000000.1933226506.00007FF62D7D6000.00000002.00000001.01000000.0000001B.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000325D000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.000000000329E000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056875449.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2056593501.0000000002A30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb0 source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2173754543.00000000086EC000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2151062995.00000000086EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rsJSON.pdb source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3282773301.0000019B32872000.00000002.00000001.01000000.00000030.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rsLogger.pdbx source: 3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, UnifiedStub-installer.exe, 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2145426436.0000000008EE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wsock32.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2178434787.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2128686001.0000000008EE7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2227495299.0000000008712000.00000004.00000020.00020000.00000000.sdmp, cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2117545096.0000000007CA2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	.Net Code: Type.GetTypeFromHandle(ItqYB4NP8yUiw7DZ59.OYH5ev1b2hdXs(16777354)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(ItqYB4NP8yUiw7DZ59.OYH5ev1b2hdXs(16777271)),Type.GetTypeFromHandle(ItqYB4NP8yUiw7DZ59.OYH5ev1b2hdXs(16777320))})
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	.Net Code: Type.GetTypeFromHandle(CJI6ksmAfV9lqr5bFV.GWHS8jinbvjcW(16777351)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CJI6ksmAfV9lqr5bFV.GWHS8jinbvjcW(16777267)),Type.GetTypeFromHandle(CJI6ksmAfV9lqr5bFV.GWHS8jinbvjcW(16777241))})
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	.Net Code: Type.GetTypeFromHandle(AxJR7gwIYi5tigmUJL.A4QdDAiOmqhGt(16777321)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(AxJR7gwIYi5tigmUJL.A4QdDAiOmqhGt(16777256)),Type.GetTypeFromHandle(AxJR7gwIYi5tigmUJL.A4QdDAiOmqhGt(16777283))})
Source: rsLogger.dll.6.dr, xyCh32lHTXMmjS3K4X.cs	.Net Code: Type.GetTypeFromHandle(CGR99NSNwbcs3tSKLm.ofp9h2cuSyFuc(16777338)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CGR99NSNwbcs3tSKLm.ofp9h2cuSyFuc(16777258)),Type.GetTypeFromHandle(CGR99NSNwbcs3tSKLm.ofp9h2cuSyFuc(16777305))})

Binary contains a suspicious time stamp

Source: is-H8HA6.tmp.2.dr

Static PE information: 0xD49AEFA9 [Mon Jan 11 20:08:09 2083 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F12B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

5_2_00F12B30

PE file contains an invalid checksum

Source: 3yq4abxg.exe.4.dr	Static PE information: real checksum: 0x24d917 should be: 0x25040d
Source: is-H8HA6.tmp.2.dr	Static PE information: real checksum: 0x14f88 should be: 0x177e5
Source: botva2.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x15537
Source: zbShieldUtils.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x2053b1
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x2e0bb3

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Static PE information: section name: .didata
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp.0.dr	Static PE information: section name: .didata
Source: CheatEngine75.exe.2.dr	Static PE information: section name: .didata
Source: saBSI.exe.2.dr	Static PE information: section name: .didat
Source: 3yq4abxg.exe.4.dr	Static PE information: section name: .sxdata
Source: installer.exe.5.dr	Static PE information: section name: _RDATA
Source: ArchiveUtilityx64.dll.6.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B746E pushad ; iretd	4_2_00007FFB4B2B749D
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2C520C push esi; iretd	4_2_00007FFB4B2C526E
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2C523F push esi; iretd	4_2_00007FFB4B2C526E
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2C3A67 push edi; iretd	4_2_00007FFB4B2C3AB6
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B812B push ebx; ret	4_2_00007FFB4B2B816A
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2C5048 push esp; iretd	4_2_00007FFB4B2C5066
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B3CD7 push edi; ret	4_2_00007FFB4B2B3D16
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B3CC7 pushad ; ret	4_2_00007FFB4B2B3CD6
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B749E push eax; iretd	4_2_00007FFB4B2B74AD
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Code function: 4_2_00007FFB4B2B3D17 push edi; ret	4_2_00007FFB4B2B3D26
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556C34E push esi; retf	5_3_0556C36F
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0557131C push edi; iretd	5_3_0557131D
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_05570807 pushfd ; retf	5_3_05570808
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_0556F022 push esp; iretd	5_3_0556F023
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_05570182 push ss; ret	5_3_055701C0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_3_05572DA8 pushad ; ret	5_3_05572DAA
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F48DDB push ecx; ret	5_2_00F48DEE
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F77CFD push ecx; ret	5_2_00F77D12
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00419800 push eax; ret	6_2_0041982E
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_004197D0 push eax; ret	6_2_004197EE
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Code function: 32_2_021B016B push es; iretd	32_2_021B0320
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Code function: 45_2_00007FFB4B2D00BD pushad ; iretd	45_2_00007FFB4B2D00C1
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Code function: 49_2_022002F8 push es; iretd	49_2_02200588

Source: rsAtom.dll.6.dr, ua2iaed2WgIibwVYdP.cs	High entropy of concatenated method names: 'Qw25evhhQyflM', 'wDeX7F7r7aA3CaPN4An', 'zWmIYA7jwK2TZ5GCpVM', 'RiHGOP77P5NTYjtp5OI', 'j1Htg3jSWVo0hgFJNki', 'I1AaBEjzuAPllcBc8Nj', 'Ppnwa87GoOthjYm31xt', 'XS0gJO71piY8YT7goA9', 'Gbi2Dq72UhYBeiYgLuP', 'd9MMpR7x86YMFXdvbQt'
Source: rsAtom.dll.6.dr, r7s327oS6DJve4RRwS.cs	High entropy of concatenated method names: 'qhYVAnvVC', 'qEfXMyfYI', 'PNNgJG6kG', 'kn6Mskxa2', 'c7QOhpDxfDJho77HjU', 'BCiUMWErQJ3Cmt1Uqw', 'wY5r2OLmavMloP27Hy', 'hLHCqRs2pBM7RcKT5S', 'fuEY9YbFqSP81Ys973', 'wSGnMLyQ7cdvpkOjF9'
Source: rsAtom.dll.6.dr, FRqWKxCamX1Hu3xVa9.cs	High entropy of concatenated method names: 'MoveNext', 'MoveNext', 'SetStateMachine', 'SetStateMachine', 'lep6xtjdJYfqmt8iC4I', 'A50NwdjNdtn2CGjcxU4', 'k4JFP2jkUjjDU94XnKB', 'okVLibj8XU16KLGUltu', 'xCwHtRjcObQDFAOD74I', 'pirSLgjJj0E77lCqDih'
Source: rsAtom.dll.6.dr, ItqYB4NP8yUiw7DZ59.cs	High entropy of concatenated method names: 'OYH5ev1b2hdXs', 'Lvc5ev14cA1gE', 'dVqEFZ7os1tmw5pINWY', 'yPYEbV7vXtamIehtjRa', 'oBmNIj70xCiy2c0fdhf', 'qW3VrP7dVk00fsDdN9P', 'KYLaqK7NGhqyfAwFX3B', 'dEh5oO7kCcZI2NTxikS'
Source: rsAtom.dll.6.dr, y6HIThX7g6QtDvHSgF.cs	High entropy of concatenated method names: 'SF403A7fAU9le23ZkQA', 've9QE079GrvEfQ9qUX3', 'nIDo0XmFpw', 'HcU3lm75m2v1j1fvlrp', 'B3ucZm7qFQhh0Ppt3KY', 'vtKur57DrKRg8MnlP6n', 'DJDSQ87EmRBp8756eGX', 'A6MXbx7LPfOcZF6Wlwp', 'QRr2aE7s2RxBffBS5eX', 'RjEeCj7bsNdUaV8FExD'
Source: rsAtom.dll.6.dr, AbstractAtomLogger.cs	High entropy of concatenated method names: 'DebugLog', 'Log', 'Log', 'r7so327S6', 'AddBaseFields', 'AddBaseField', 'SendToAtom', 'BJv4e4RRw', 'm5ND792vUyApHB0lSH', 'nHJtacxNTGRueEYuNP'
Source: rsAtom.dll.6.dr, FileAtomLogger.cs	High entropy of concatenated method names: 'pE6dnkjnkuu5XQTkq6y', 'bwlpQTjWLuWDtkJkoEG', 'LuBeA9jR14v213I1hm9', 'KfswKcjQ2GKlqSxT4d5', 'OH7cC7jlTyhj1Vh0JwC', 'Log', 'GetLogEntriesNum', 'StartFlushTimer', 'StopFlushTimer', 'Flush'
Source: rsAtom.dll.6.dr, uWI9QFDIorHq5kDSdx.cs	High entropy of concatenated method names: 'huu4E5RnKb', 'am94Pl6H3U', 'YjY4rq6Hbn', 'K0V4cPmABC', 'UVU42CAbO8', 'ilq4yZPd8w', 'Non4aifEa4', 'X1o4GpHMTV', 'T7c4Rmsqak', 'enx4xyVam4'
Source: rsDatabase.dll.6.dr, AbstractDatabase.cs	High entropy of concatenated method names: 'CreateCommand', 'QueryScalarStrict', 'Value', 'HwX4QGPaJ', 'QueryScalarInt', 'QueryScalarString', 'QueryInternal', 'QueryArrays', 'QueryTuples', 'QueryTuples'
Source: rsDatabase.dll.6.dr, Database.cs	High entropy of concatenated method names: 'IntegrityCheck', 'CreateTables', 'Transaction', 'GetDataSet', 'GetAllRows', 'GetRowWhere', 'GetRowsWhere', 'ExistsRowWhere', 'HasTable', 'HasColumn'
Source: rsDatabase.dll.6.dr, HwXQGP4aJfTjro772A.cs	High entropy of concatenated method names: 'BftS8jqqUFiZa', 'ouC0uH93C14OHdadeow', 'UcLMYi9XwaD7ME3kF1b', 'YcO1JU9FGnOSu9H3bo0', 'mKx7pG90lydPWs49gXQ', 'eahIYr9MXTlGNRQWqg8', 'MTN5Na9EeGZOaATtAEx', 'xyASQ59cb23xYp7Jr4w', 'rpnKES9dLC7MyiPqKlR', 'GonULa9S8nlSEeopnoh'
Source: rsDatabase.dll.6.dr, i0lCiA59BgeyIdeT9Y.cs	High entropy of concatenated method names: 'o78oTJEMpG', 'b4Vo7JxfLl', 'GwBojYjn4R', 'fIfo0EHFfC', 'RRYomaHPfD', 'dlColFx7Jw', 'l6moJOot5H', 'lOjoOpYgGR', 'Hcvo57jg5f', 'x0ionHZmrj'
Source: rsDatabase.dll.6.dr, jTQUkyXTEdtNfPRZPx.cs	High entropy of concatenated method names: 'oV6wYkl7TINa6DVpKX7', 'DnQrOSl9THgQGODdZK3', 'pFkoo4af47', 'FoQO7LlKbSlk32yWOl1', 'ajiP6Tlg2VPapXVZ8uh', 'XIj5uml6esmPZmQfeIg', 'FUnE81lW1NtDhQWpCgK', 'IJTlSblJW3Fu04fWXlN', 'sLcF9hlk4JKsnj700HM', 'UupT5ml2QJF9cM2Rrtf'
Source: rsJSON.dll.6.dr, J0mSrijoaAO8NrjmXU.cs	High entropy of concatenated method names: 'L13EmqMYwAQBQQuQp8O', 'JG8DwlMwNrfOttnpILW', 'x0xmepK9Vc', 'VK5bF2MbUUm8hJGB3XE', 'FON1ZKMonO41M94sboF', 'GY50I3MxPXY1tXfwGaJ', 'pgPNPiMeixJQWOnMZe2', 'kTvpMKMc5u87yfJOXY1', 'njkmYHMsh4vsLI6rLQE', 'WkwZeUMX1l3nYwZwPxn'
Source: rsJSON.dll.6.dr, J0Gi1W1X7HWJ2Nin4O.cs	High entropy of concatenated method names: 'eWXj7HWJ2', 'Add', 'Add', 'Equals', 'GetHashCode', 'ToString', 'ToString', 'Ams3oJraHppoTRrREcn', 'qKCcJYr5QoiZW7Jp6j5', 'YHlECyr4Zc1fLraXn0V'
Source: rsJSON.dll.6.dr, D4hYImSKfLcmbrNMIJ.cs	High entropy of concatenated method names: 'gQgalBdLmF', 'Rc5a7VT8g8', 'RsTahRp4uK', 'W5vaADwCgF', 'Fs9ayM2W5N', 'jJMaqlBdyx', 'bXWa0tpIPx', 'fEha6PpleN', 'a6Ka4GjKi9', 'PV9asEcorn'
Source: rsJSON.dll.6.dr, qWyTmNpppvREgWcHiH.cs	High entropy of concatenated method names: 'WAedDAQQbSuUp', 'iN7U5udzHO1h8AVWPtu', 'rB3o7dM8vVnWxFGlVtl', 'rcENBoM6bx1sGa50bUD', 'OG4uiLdRdiS1soUjR8K', 'Y22WOYdmVn3EAxAYkwd', 'a2EBmpMrkG0ie3n6OTE', 'PZiVUBMTGwYS9l6qWMC', 'TnM0UTMd1Op3Bd23Vlr', 'U4K0MmMMLPA5xVpsLHe'
Source: rsJSON.dll.6.dr, AxJR7gwIYi5tigmUJL.cs	High entropy of concatenated method names: 'A4QdDAiOmqhGt', 'LjDdDAiISygJk', 'IJS34xMAoUtsPADtrWe', 'eP0y8pMHInyexNW0IJC', 'v36GKBMFxOYoHQ0pUn1', 'q8OLAxMWD686cmdsqfX', 'hyCfEKMf5xTnTa7Fyte'
Source: rsJSON.dll.6.dr, JSONArray.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'MoveNext', '_003C_003Em__Finally1', 'Reset', 'GetEnumerator', 'GetEnumerator', 'Gvvwk0TBPg1Vsk9N1Th', 'ileAoPT0hygHKw7UVDb', 'vLc92JTGW2YFHxlB7j5'
Source: rsJSON.dll.6.dr, JSON2.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'MoveNext', 'Reset', 'GetEnumerator', 'GetEnumerator', 'z2lT7sTRBqNvyyu9i9O', 'XLn7VVTmDn8YrocMqMe', 'NPWuFyTnP5lc5vqleq6', 'GB7bPGTyL390jSddZy3'
Source: rsJSON.dll.6.dr, JSONBuilder.cs	High entropy of concatenated method names: 'Add', 'Add', 'Add', 'Add', 'Add', 'Add', 'Add', 'Add', 'Add', 'Add'
Source: rsJSON.dll.6.dr, JSONData.cs	High entropy of concatenated method names: 'ToString', 'V8bpeQvDE', 'aiPu9jpjD', 'ToString', 'Serialize', 'ThJoBd6fTkchDG3BCT2', 'iDwPu06v3oHT3yTgXeM', 'VroJTR6kphg46TPikOr', 'CASPQm6IcWocCXIJSfG', 'xeobLM6l2k5Mtee6URJ'
Source: rsJSON.dll.6.dr, JSONClass.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'MoveNext', '_003C_003Em__Finally1', 'Reset', 'GetEnumerator', 'GetEnumerator', 'os3Wk9TIqp0wfFwDQEG', 'yiL6FjTlsvaUAT7EhlX', 'n2NK4cTvoMnjnSaeXXN'
Source: rsJSON.dll.6.dr, JSONNode.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'MoveNext', 'Reset', 'GetEnumerator', 'GetEnumerator', 'HGpRKKTKocXg6ZeYvQW', 'zCiGpeTbvyxK2D9pnAs', 'av0TNMT1MqC3i1oNoPd', 'EZU2OYT2E9nCp85mnrZ'
Source: rsLogger.dll.6.dr, ViJ4rfNcxMOrLqjS0f.cs	High entropy of concatenated method names: 'WBogQyCh3', 'EO6jt43kZ', 'vHTsXMmjS', 'dK4kXPpQ2', 'auVP2g4ig', 'ggc6E01N7', 'LxvirwJUM', 'PhDZBcpo9osW88KCva', 'Se9cCJDwNJVrVV32uu', 'Rr77QIN3DqaqC2m7A7'
Source: rsLogger.dll.6.dr, LogzIOMemoryLogger.cs	High entropy of concatenated method names: 'ansJJudEQ1YnT3vsO3b', 'cXW5TGddLNb3BlqLqi3', 'QM9ei0dAuPfWZu33jFq', 'YZsdCIdyRspRqIrwaXO', 'Add', 'uR9NF9NNwb', 'TryFlush', 'Dispose', 'KsmMujEyWwWkdrx7c7n', 'PyI40XEdPohTkJJ0jWT'
Source: rsLogger.dll.6.dr, LogzIOLogger.cs	High entropy of concatenated method names: 'ELI6Q3E3cLBTQtkdFft', 'ajyWatEIAZW0LEo9abT', 'nBvWBBEHK5TH4abxxBN', 'fTgG8DEzHSvQIeUnhdI', 'p9cFovdVkmjPpk0SMNw', 'Add', 'AM5NCaba2B', 'itKNVpLK6o', 'TryFlush', 'Dispose'
Source: rsLogger.dll.6.dr, MultiLogger.cs	High entropy of concatenated method names: 'Add', 'Add', 'PQ0NQmIyDB', 'qsdN0DJ6CK', 'GetEnumerator', 'GetEnumerator', 'dTWykPE4sbfKR7KX3Wt', 'pKxiNGEhy7KgHqMe22k', 'lxWtQHEspTh9n7WVSQi', 'CWIw6SEgbS06k9h0M71'
Source: rsLogger.dll.6.dr, AbstractLogger.cs	High entropy of concatenated method names: 'fhD9kX7SE', 'CjZxeC4p2', 'EnableStackTrace', 'LogDebug', 'LogDebug', 'LogInfo', 'LogWarning', 'LogWarning', 'LogError', 'LogError'
Source: rsLogger.dll.6.dr, Event.cs	High entropy of concatenated method names: 'ToJSON', 'ToText', 'udmF6FWnI', 'tSISulqZQIhJ8ROSPR', 'UMT1KyC7xUoBaTfCry', 'MoVJuyodTihSUsWvO4', 'bpyem07oI0Fqp6uCDp', 'lE1hEAi8SDKRGNmnKw', 'uT97d4ZWWfK0nmPkYg', 'bL2xZmBmPNFV3V9xN7'
Source: rsLogger.dll.6.dr, LegacyLogger.cs	High entropy of concatenated method names: 'gtv99OEMqAWho2FjVEE', 'G6u15aEbMRtSqhBbZp1', 'eD677nEecDWppUw1D1s', 'Add', 'avDCCqQJ8tQbEFwAq3K', 'WEYMmoQx4MPjIAJXH2w', 'LC8oxwQqlwKcOtQAb9y', 'yg6HKsQCDpFT1ktVatZ', 'SVEnhnQoBVeUMNpQHBl', 'WkktUmQ7gWiaagQEcU9'
Source: rsLogger.dll.6.dr, nSuGBCAXy9vteo7WWm.cs	High entropy of concatenated method names: 'qXpFufuexy', 'DkNFUXXSP3', 'Ya29UDESlDL3WEMm23S', 'hyI5C6EnWHtU5YwqM5y', 'bAdIcEE0scwReASLx1i', 'BU1oc5E2oOB0cPfoPn5', 'g5ptAkEjfHErJDATrdO', 'W46yxQE5Rs5Z9nYLByi', 'PqOC5jEFKyPjLxbMx27', 'egkL4QEJ8VZVgN85s0K'
Source: rsLogger.dll.6.dr, siQvWVv73bTKJf6xq3.cs	High entropy of concatenated method names: 'kfV9h2GGHqCR8', 'iSLVvpdsEtw1F0EsBSb', 'oigxUZdgo73KuBROCHC', 'PZOLPNdULYDeLHGhGKJ', 'jtwVXldugxwGMp6FStX', 'ipHSYtd4KE9X86KCsAZ', 'zsNIpMdhGuwjWi7o8te', 'VRvr0ydK6Z96JS2PZ1A', 'qpfR2edXjIuDa9uGW5F', 'wJyYVRdk9nX0KNk76BO'
Source: rsLogger.dll.6.dr, ITw0wNPoZFWGKG4fLp.cs	High entropy of concatenated method names: 'W3MuDtMlAu', 'zCKuhstyJI', 'iPXuMUo4Dw', 'iR0uO0RUqD', 'wusuB0Uty3', 'GsZucQw0ID', 'gSIumE99pj', 'NHiu8TrBpp', 'JT1ud1JTIS', 'fyZuWDN9Jw'
Source: rsLogger.dll.6.dr, xyCh32lHTXMmjS3K4X.cs	High entropy of concatenated method names: 'bBTHJNdfpeRulNCgbZ4', 'gJqi3ldRieQT0VfAlUJ', 'BsDun8eZ8X', 'UCmSSgdn0NKBBLxgaeO', 'xIaVmQd0CpLvwo8ehU7', 'vrS7TXd5OfnCki5Qy9e', 'bPQ6P7dF2jFPHrDl1bI', 'zY9LsodJ0Ml9ONUkFjN', 'GjhYDodxI2ScvRtlyYj', 'SRrG6jdqCm4TBmhShuh'
Source: rsLogger.dll.6.dr, bMSWQC9MwGrsnVGV7s.cs	High entropy of concatenated method names: 'KZUbb4tZ9', 'kJl4ydNq0', 'Siyz5uRLS', 'O9yN88Qkn7TLEeRxANG', 'F5AoVXQ6Jrt05fxIZlb', 'KNtYFkQKTjI8WitKbXt', 'sBtBlpQXXkscAm3pORP', 'SDWJKdQTvjS9p7tXP78', 'HC84WSQwtc6aurpvuW7', 'FR5UaBQLvnP6OvRk3eq'
Source: rsLogger.dll.6.dr, ykX7SEucjZeC4p2b5g.cs	High entropy of concatenated method names: 'yKb1ngLoo', 'PCBYXlAD8', 'VlfXlQpi8', 'ENloRxQv3xEApasPTAh', 'rXofyeQmlEIE1F3JpKP', 'g0oxtlQadcaEA2G9bvM', 'slKI45QchpE4nkvXLPl', 'yXaj7OQ8WmVeGfH4m4A', 'IQHVRiQYFB8mDX4pqa4', 'clItFAQ1ajl3bE5GXD1'

Persistence and Installation Behavior

Drops PE files

Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\botva2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-1HAUB.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	File created: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\is-A3GKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-6LSG2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\is-OH84O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\DotNetDataCollector64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\CEPluginExample.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\libipt-64.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-OQMOE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-AUJ8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-MUHHF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-A5OSQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-5DOON.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc32-32-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\gtutorial-i386.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-81GE3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\allochook-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\is-7KKVU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-8G4IN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsqF14F.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-FC05A.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc64-32-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-SJKQD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\uninstall-epp.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-ASU18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\is-356FE.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-7NK6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc64-64-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\libmikmod64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-PP0OR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\clibs64\is-701OU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-04JI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\is-HNC5I.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-BQRFH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-LR956.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\winhook-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-RKO1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-O71KG.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\CEJVMTI.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-TTU3J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ceregreset.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-A30LA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\CEJVMTI.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-AJB6K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\d3dhook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\symsrv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-PMK62.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	File created: C:\Users\user\AppData\Local\Temp\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-QAU98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc64-aarch64-linux.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-9UL4R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsSyncSvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\clibs32\is-AQQPT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-R767B.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\uninstall-vpn.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\uninstall-epp.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\dbghelp.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\uninstall-epp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsTime.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-8HLKV.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-7TSFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-KLETU.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\uninstall-dns.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\unins000.exe (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-RUAAP.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-MRM89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\symsrv.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-IM0FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-7DIKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\libipt-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-4H8E2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\libmikmod32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-UD451.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\is-F9V6M.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	File created: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\is-H8HA6.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-VADJ1.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\DotNetDataCollector32.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-AATAN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\CSCompiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\lua53-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\dbghelp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc64-64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\lua53-64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-ERBSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-76J7R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win64\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-1U45L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsStubLib.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-BGU0I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	File created: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc32-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-JBLAJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-27N0B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\tcc64-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-397QA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\d3dhook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-QFQ4U.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-5VCS0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-NNHHO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-L3GJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nsqF14F.tmp\WeatherZeroNSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	File created: C:\Program Files (x86)\WeatherZero\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	File created: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\win32\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-MV96K.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\is-L37DV.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-0JUIF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnifiedStub-installer.exe.log

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	File created: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Microsoft.Win32.TaskScheduler.dll	Jump to behavior
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Microsoft.Win32.TaskScheduler.dll
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	File created: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Microsoft.Win32.TaskScheduler.dll

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine (64-bit SSE4-AVX2).lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine (64-bit).lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine (32-bit).lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine tutorial.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine tutorial (64-bit).lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Cheat Engine help.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Kernel stuff
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Kernel stuff\Unload kernel module.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Reset settings.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Lua documentation.lnk
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cheat Engine 7.5\Uninstall Cheat Engine.lnk

Uses net.exe to stop services

Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp

Process created: C:\Windows\System32\net.exe "net" stop BadlionAntic

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

25_2_00007FF7824D4BB0

Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp

Process created: C:\Windows\System32\sc.exe "sc" delete BadlionAntic

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

File opened: C:\Program Files\ReasonLabs\EPP\Uninstall.exe:Zone.Identifier read attributes | delete

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F00540 EnterCriticalSection,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LeaveCriticalSection,

5_2_00F00540

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Uses cacls to modify the permissions of files

Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp

Process created: C:\Windows\System32\icacls.exe "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\CheatEngine75.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Memory allocated: 2A3CFC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Memory allocated: 2A3E9800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Memory allocated: 19B32730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Memory allocated: 19B4C060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Memory allocated: 1FA15300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Memory allocated: 1FA2EDF0000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00ED4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

5_2_00ED4C8E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Window / User API: threadDelayed 1783	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Window / User API: threadDelayed 1075
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Window / User API: threadDelayed 741
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Window / User API: threadDelayed 425
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window / User API: threadDelayed 4706
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window / User API: threadDelayed 1924
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window / User API: threadDelayed 691
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Window / User API: windowPlacementGot 1212

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\botva2.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-1HAUB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\is-A3GKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-6LSG2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\DotNetDataCollector64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\is-OH84O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\CEPluginExample.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\libipt-64.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-OQMOE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-AUJ8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-MUHHF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\uninstall-vpn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-A5OSQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\gtutorial-i386.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\tcc32-32-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-5DOON.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\allochook-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-81GE3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\is-7KKVU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-8G4IN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF14F.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-FC05A.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\tcc64-32-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-SJKQD.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-ASU18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\is-356FE.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-7NK6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\tcc64-64-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\libmikmod64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-PP0OR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\clibs64\is-701OU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-04JI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\is-HNC5I.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-LR956.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\winhook-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-RKO1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-O71KG.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\CEJVMTI.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt-PT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-TTU3J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ceregreset.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-A30LA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\CEJVMTI.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-AJB6K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\d3dhook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\symsrv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-PMK62.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-QAU98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\tcc64-aarch64-linux.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsJSON.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-9UL4R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\clibs32\is-AQQPT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\uninstall-vpn.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsDatabase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\it-IT\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\dbghelp.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsTime.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fi-FI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-8HLKV.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-7TSFI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\installer.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\uninstall-dns.exe	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\tr-TR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-RUAAP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\fil-PH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-MRM89.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\symsrv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-IM0FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-7DIKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\libipt-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\uninstall-dns.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-4H8E2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WeatherZero\WeatherZero.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\libmikmod32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-UD451.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\is-F9V6M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\pt\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-VADJ1.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sl-SI\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\id-ID\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\DotNetDataCollector32.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-AATAN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsTime.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ja-JP\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\CSCompiler.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\lua53-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\dbghelp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-ERBSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-76J7R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\el-GR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win64\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\sk-SK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ru-RU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\es-ES\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hu-HU\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsJSON.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsStubLib.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-BGU0I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\ro-RO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsAtom.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-TW\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\tcc32-32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-JBLAJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-27N0B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-397QA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\hi-IN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\fr-FR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\d3dhook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-QFQ4U.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\cs-CZ\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-NNHHO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-5VCS0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\ko-KR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\de-DE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-L3GJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\th-TH\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF14F.tmp\WeatherZeroNSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector64.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WeatherZero\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\nb-NO\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pl-PL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll (copy)	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\hr-HR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\win32\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sv-SE\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\vi-VN\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\da-DK\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\is-L37DV.tmp	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\ArchiveUtilityx64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Translations\sl\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\Translations\nl-NL\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\pt-BR\UnifiedStub.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-0JUIF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\Translations\zh-CN\UnifiedStub.resources.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_5-98666

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	API coverage: 4.7 %
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	API coverage: 8.6 %
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	API coverage: 9.0 %
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	API coverage: 8.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp TID: 7892	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp TID: 7896	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp TID: 7892	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe TID: 7292	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe TID: 7292	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe TID: 5408	Thread sleep count: 1783 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 1824	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 3120	Thread sleep count: 1075 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 3120	Thread sleep count: 741 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 7680	Thread sleep count: 90 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 7680	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 1824	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 1824	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe TID: 5736	Thread sleep count: 425 > 30
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe TID: 5736	Thread sleep time: -212500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe TID: 4844	Thread sleep time: -11765000s >= -30000s
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe TID: 4844	Thread sleep time: -1727500s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-H908U.tmp FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-H908U.tmp FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F69BF0 FindFirstFileExW,	5_2_00F69BF0
Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe	Code function: 6_2_00404EC1 FindFirstFileW,	6_2_00404EC1
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	7_2_00405A19
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_004065CE FindFirstFileA,FindClose,	7_2_004065CE
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe	Code function: 7_2_004027AA FindFirstFileA,	7_2_004027AA
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7CCA9C FindFirstFileExW,	31_2_00007FF62D7CCA9C
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00417980 CreateFileW,DeviceIoControl,FindFirstFileExW,FindClose,SetLastError,SetLastError,	38_2_00417980
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: 38_2_00417E10 FindFirstFileExW,FindClose,	38_2_00417E10

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F32782 VirtualQuery,GetSystemInfo,

5_2_00F32782

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-H908U.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ps://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computers","ov":100,"cbfo":true,"pv":"1.23","v":3,"x":3}},{"ad":{"n":"","f":"ZB_TotalSecurity_V4","o":"TotalSecurity_AV"},"ps":{"i":"TotalSecurity_AV/images/1127/V4/EN.png","dn":"360 Total Security","u":"TotalSecurity_AV/files/1127/ts360Setup.zip","p":"/s","r":["Microsoft\\Windows\\CurrentVersion\\Uninstall\\360TotalSecurity","360TotalSecurity","360Safe","VMware, Inc."],"cp":"https://www.360totalsecurity.com/en/privacy/","ctu":"https://www.360totalsecurity.com/en/license/","pv":"1.26","cbfo":true,"v":1}},{"ad":{"n":"","f":"ZB_Opera_re_V3","o":"Opera_reengaged"},"ps":{"i":"Opera/images/DOTPS-483/ENX
Source: prod0.exe, 00000004.00000002.3288281066.000002A3E9F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: cbUseDBVMDebugger
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: TDBVMDebugInterface.SetThreadContext
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: TDBVMDebugInterface
Source: UnifiedStub-installer.exe, 0000000B.00000002.3317370961.0000019B4C850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: TDBVMDebugInterface.ContinueDebugEvent returning normal run
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: ;TDBVMDebugInterface.ContinueDebugEvent returning normal run
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ls\\CurrentVersion\\Uninstall\\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}","McAfee\\SiteAdvisor","McAfee\\WebAdvisor","Microsoft\\Windows\\CurrentVersion\\Uninstall\\McAfee Security Scan"],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cp":"https://www.mcafee.com/consumer/en-us/policy/global/legal.html","ctu":"https://home.mcafee.com/Root/AboutUs.aspx?id=eula","pv":"1.26","ov":63,"ud":true,"v":4}},{"ad":{"n":"","f":"ZB_Norton_BRW","o":"AVG_BRW"},"ps":{"i":"NORTON_BRW/images/1494/547x280/EN.png","dn":"Norton Private Browser","u":"NORTON_BRW/files/1506/norton_secure_browser_setup.zip","p":"/s /make-default /run_source=\"norton_ppi_is\"","c":"norton","r":["AVG\\Browser\\Installed","AVASTSoftware\\Browser\\Installed","Avira\\Browser\\Installed","Norton\\Browser\\Installed","Piriform\\Browser\\Installed","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avira Security_is1","Microsoft\\Windows\\CurrentVersion\\Uninstall\\NGC"],"a":["Avira.Spotlight.Service"],"cp":"https://www.nortonlifelock.com/us/en/privacy/","ctu":"https://www.nortonlifelock.com/us/en/legal/license-services-agreement/","pv":"1.29","ov":100,"cbfo":true,"v":3}},{"ad":{"n":"","f":"ZB_WinZip","o":"Winzip19"},"ps":{"dn":"WinZip","i":"WinZip/images/905/EN.png","u":"WinZip/files/1292/winzip28-dci5.zip","p":"/qn","c":"reg","r":["Nico Mak Computing\\WinZip"],"cp":"https://www.winzip.com/win/en/privacy.html","ctu":"https://www.winzip.com/win/en/eula.html","win64":true,"ov":100,"cbfo":true,"pv":"1.23","v":6}},{"ad":{"n":9,"nn":"Med_Ntiles","f":"ZB_Avast","o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"r":["AVAST Software\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast","Microsoft\\Windows\\CurrentVersion\\Uninstall\\Avast Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\AVG Antivirus","Microsoft\\Windows\\CurrentVersion\\Uninstall\\{4CB91122-AA85-4431-953C-BEFAEC86DA97}_is1","WebBar","WebDiscoverBrowser","AVG\\Antivirus\\Version","AVG\\AV\\Dir"],"a":["AvastSvc","instup","AvastUI","AVGUI","avguix","AVGSvc","avgsvca"],"ctu":"https://www.avast.com/eula-avast-consumer-products","cp":"https://www.avast.com/privacy-policy","ov":61,"cbfo":true,"avauc":true,"avur":"AvUninstallTimestamp","pv":"1.29","x":12,"disk":2560,"ram":256,"iapp":["chrome.exe"],"v":1}},{"ad":{"n":"","f":"ZB_Opera_New_ISV","o":"Opera_new"},"ps":{"i":"Opera/images/DOTPS-717/NCB/EN.png","dn":"Opera","u":"Opera/files/AutoReplaced/OperaSetup.zip","p":"--silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a","c":"opera_new_a","a":["OperaSetup","OperaSetup.exe","OperaGXSetup.exe","OperaGXSetup"],"r":["Opera Software"],"cp":"https://www.opera.com/he/privacy","ctu":"https://www.opera.com/he/eula/computer
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: TDBVMDebugInterface.ContinueDebugEvent returning single step
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A54000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1994341662.0000000000795000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1995145479.0000000000795000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1995145479.000000000079C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: VMWare seems to be running. It's known that some versions of vmware will cause a BSOD in combination with intel IPT. Do you still want to use intel IPT?
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: cbDBVMDebugTriggerCOW
Source: prod0.exe, 00000004.00000002.3288281066.000002A3E9F94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: debughelper.rsvmwareisrunningiptbad
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: <TDBVMDebugInterface.ContinueDebugEvent returning single step
Source: UnifiedStub-installer.exe, 0000000B.00000002.3317370961.0000019B4C850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: DBVMDebuggerInterface
Source: UnifiedStub-installer.exe, 0000002D.00000002.2175466681.000001FA15398000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WZSetup.exe33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-0D
Source: prod0.exe, 00000004.00000002.3288281066.000002A3E9F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: cbDBVMDebugTargetedProcessOnly
Source: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463458065.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eat Engine is a tool designed to help you with modifying single player games without internet connection so you can make them harder or easier depending on your preference."ctp":"","cep":""},"f":{"m":3,"x":"2025-03-13T22:41:55.237Z","a":"cdc2","d":"89"},"o":[{"ad":{"n":"","f":"ZB_RAV_Cross_Tri_NCB","o":"RAV_Cross"},"ps":{"i":"RAV_Triple_NCB/images/DOTPS-855/EN.png","dn":"RAV, VPN by RAV, Online Security, Safer Web","u":"https://shield.reasonsecurity.com/rsStubActivator.exe","p":"-ip:\"dui={userid}&dit={sessionid}&is_silent=true&oc={of}&p={pubid}&a=100&b={ispb}&se=true\" -vp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100&oip=26&ptl=7&dta=true\" -dp:\"dui={userid}&dit={sessionid}&oc={of}&p={pubid}&a=100\" -i -v -d -se=true","r":["ReasonVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonVPN","RAVVPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\RAVVPN","ReasonLabs\\VPN","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-VPN","ReasonSaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonSaferWeb","SaferWeb","Microsoft\\Windows\\CurrentVersion\\Uninstall\\SaferWeb","ReasonLabs\\DNS","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-DNS","ReasonUP","RAVAntivirus","Reason\\Reason Antivirus","ReasonLabs\\EPP","Microsoft\\Windows\\CurrentVersion\\Uninstall\\ReasonLabs-EPP","VMware, Inc."],"rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR_ARCHITECTURE\\ARM64"],"cmdu":[{"utr":"HKEY_CLASSES_ROOT","utk":"ReasonPersistentStorage","utvn":"AvUninstallTime","utvt":"SZ","umd":30,"utms":true}],"cp":"https://reasonlabs.com/policies","ctu":"https://reasonlabs.com/policies","win64":true,"pv":"1.26","disk":450,"fe":["{commonpf64}\\ReasonLabs\\EPP\\InstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstallerLib.dll","{commonpf64}\\RAVAntivirus\\AntivirusInstaller.exe"],"ov":100,"cbfo":true,"x":10,"v":1}},{"ad":{"n":"","f":"ZB_WebAdvisor_V3","o":"WebAdvisor"},"ps":{"i":"WebAdvisor/images/943/EN.png","dn":"McA
Source: prod0.exe, 00000004.00000002.3288281066.000002A3E9F94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:N
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: cbDBVMDebugKernelmodeBreaks
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: #debughelper.rsvmwareisrunningiptbad
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: DBVMDEBUGGERINTERFACE
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: dbvmdebuggerinterface.rsdbvmfunctionneedsdbvm
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: vmware-vmx.exe
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: picked debug register vmware-vmx.exe
Source: WZSetup.exe, 00000007.00000003.1994867793.000000000075E000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998170408.000000000075E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0ly%SystemRoot%\system32\mswsock.dll
Source: UnifiedStub-installer.exe, 0000000B.00000002.3317370961.0000019B4C850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductXUNMMG9AC52742-8547-84D6-5349-ECEC87A66D67VMware, Inc.None`
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: -dbvmdebuggerinterface.rsdbvmfunctionneedsdbvm
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: $TDBVMDebugInterface.SetThreadContext

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F493F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00F493F2

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00EE5110 RegOpenKeyExW,RegQueryValueExW,SetLastError,RegCloseKey,RegCloseKey,GetLastError,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LoadLibraryExW,GetLastError,

5_2_00EE5110

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00ED4C8E GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

5_2_00ED4C8E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F77BC0 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

5_2_00F77BC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F12B30 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,GetLastError,

5_2_00F12B30

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F5E8FE mov eax, dword ptr fs:[00000030h]	5_2_00F5E8FE
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F67CF2 mov eax, dword ptr fs:[00000030h]	5_2_00F67CF2
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F67CAE mov eax, dword ptr fs:[00000030h]	5_2_00F67CAE
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F67C6A mov eax, dword ptr fs:[00000030h]	5_2_00F67C6A
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F67D23 mov eax, dword ptr fs:[00000030h]	5_2_00F67D23
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01099D02 mov eax, dword ptr fs:[00000030h]	33_2_01099D02
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_0109433F mov eax, dword ptr fs:[00000030h]	33_2_0109433F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00ED463F GetProcessHeap,

5_2_00ED463F

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process token adjusted: Debug
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F49018 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00F49018
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F493F2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00F493F2
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F4D453 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00F4D453
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: 5_2_00F49586 SetUnhandledExceptionFilter,	5_2_00F49586
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF78253E3BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FF78253E3BC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: 25_2_00007FF782532A10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FF782532A10
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7CA23C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00007FF62D7CA23C
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7C42B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF62D7C42B0
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7C41CC SetUnhandledExceptionFilter,	31_2_00007FF62D7C41CC
Source: C:\Program Files\ReasonLabs\EPP\Uninstall.exe	Code function: 31_2_00007FF62D7C4028 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_00007FF62D7C4028
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_0108D11E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_0108D11E
Source: C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	Code function: 33_2_01092603 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_01092603
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: 39_2_0040DEC0 SetUnhandledExceptionFilter,	39_2_0040DEC0
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: 39_2_0040DED0 SetUnhandledExceptionFilter,	39_2_0040DED0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_004117F0 SetUnhandledExceptionFilter,	46_2_004117F0
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: 46_2_00411810 SetUnhandledExceptionFilter,	46_2_00411810

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe

NtQueryInformationProcess: Indirect: 0x7FFBA216C34D

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true CountryCode=US	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe "C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe" /S /tpchannelid=1571 /distid=App123	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Process created: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe "C:\Users\user\AppData\Local\Temp\3yq4abxg.exe" /silent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Process created: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp helper 105 0x44C
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAntic
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 stop BadlionAnticheat
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Process created: C:\Users\user\AppData\Local\Temp\Stub.exe "C:\Users\user\AppData\Local\Temp\Stub.exe" /products=epp /auto-repair=UnifiedStub
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Process created: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
Source: C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-h908u.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe "c:\users\user\appdata\local\temp\is-h908u.tmp\prod0.exe" -ip:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&b=&se=true" -vp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&oc=zb_rav_cross_tri_ncb&p=cdc2&a=100" -i -v -d -se=true			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UC9I1.tmp\_isetup\_setup64.tmp

Code function: 24_2_0000000140001000 GetNamedSecurityInfoW,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,FreeSid,LocalFree,GetLastError,

24_2_0000000140001000

Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: Shell_TrayWnd
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008896000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: ToolbarWindow32Shell_TrayWnd
Source: cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000003.2122434367.0000000008896000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F49215 cpuid

5_2_00F49215

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	5_2_00F645DA
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_00F6C65F
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	5_2_00F6C9ED
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	5_2_00F6C952
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	5_2_00F6C907
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00F6CA80
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	5_2_00F6CCE0
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00F6CE06
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00F6CFDB
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoW,	5_2_00F6CF0C
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: GetLocaleInfoEx,	5_2_00F47E28
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe	Code function: EnumSystemLocalesW,	5_2_00F63F6D
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_00007FF78255CC00
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	25_2_00007FF7824E9C90
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,_invalid_parameter_noinfo_noreturn,	25_2_00007FF7824FFC30
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	25_2_00007FF78255C514
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	25_2_00007FF78254FCC0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	25_2_00007FF78255C1B8
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,GetLocaleInfoEx,OutputDebugStringW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	25_2_00007FF7824E89D0
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,	25_2_00007FF782550258
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	25_2_00007FF78255CA1C
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: GetLocaleInfoEx,	25_2_00007FF782531AEC
Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	Code function: EnumSystemLocalesW,	25_2_00007FF78255C5E4
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetLocaleInfoA,	38_2_00417F50
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetThreadLocale,GetLocaleInfoA,EnumCalendarInfoA,EnumCalendarInfoA,	38_2_004180C0
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetThreadLocale,GetLocaleInfoA,EnumCalendarInfoA,EnumCalendarInfoA,	38_2_004180BF
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetLocaleInfoHelper,	38_2_0040B3D0
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	38_2_00417E9F
Source: C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	38_2_00417EB0
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: GetLocaleInfoA,	39_2_0041F060
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: GetLocaleInfoA,	39_2_0041F0C0
Source: C:\Program Files\Cheat Engine 7.5\windowsrepair.exe	Code function: GetThreadLocale,GetLocaleInfoA,EnumCalendarInfoA,EnumCalendarInfoA,	39_2_0041F230
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: GetLocaleInfoA,	46_2_0042C210
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: GetLocaleInfoA,	46_2_0042C270
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: GetThreadLocale,GetLocaleInfoA,EnumCalendarInfoA,EnumCalendarInfoA,	46_2_0042C660
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: GetLocaleInfoW,	46_2_0041F730
Source: C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe	Code function: GetLocaleInfoW,	46_2_0041F7A0

Queries the product ID of Windows

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\logo.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\RAV_Cross.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\WebAdvisor.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\WeatherZero.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\finish.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsStubLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\UnifiedStub-installer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Code function: 5_2_00F64619 GetSystemTimeAsFileTime,

5_2_00F64619

Source: C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Code function: 25_2_00007FF782556850 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

25_2_00007FF782556850

Source: C:\Users\user\AppData\Local\Temp\3yq4abxg.exe

Code function: 6_2_00401964 GetVersionExW,

6_2_00401964

Source: C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod1_extract\saBSI.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 32.3.Stub.exe.2ea9f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2ee1058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UnifiedStub-installer.exe.19b4c9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UnifiedStub-installer.exe.19b32870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2ee1058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2eb9f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.UnifiedStub-installer.exe.1fa16d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ed1058.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2eb9f48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2e64ca4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2ee1058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2eb9f48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2eb9f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ea9f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ed1058.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2ee1058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2e54ca4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2e40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2e64ca4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2e40000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2e30000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3319865235.0000019B4C9D2000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3282773301.0000019B32872000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.2235185447.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\UnifiedStub-installer.exe

File opened: C:\Users\user\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 32.3.Stub.exe.2ea9f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2ee1058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UnifiedStub-installer.exe.19b4c9d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UnifiedStub-installer.exe.19b32870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2ee1058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2eb9f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.UnifiedStub-installer.exe.1fa16d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ed1058.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2eb9f48.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2e64ca4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2ee1058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2eb9f48.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2eb9f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ea9f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2ed1058.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2ee1058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2e54ca4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.3.Stub.exe.2e40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2e64ca4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.3yq4abxg.exe.2e40000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.3.Stub.exe.2e30000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002D.00000002.2185072195.000001FA16D82000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2186104264.000001FA16E9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3319865235.0000019B4C9D2000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3282773301.0000019B32872000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.2235185447.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsAtom.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsLogger.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS8CE1A82F\rsJSON.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsTime.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS4C6B60DE\rsDatabase.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS87E99B6F\rsLogger.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
1 Software	Acquire Infrastructure	1 Valid Accounts	11 Windows Management Instrumentation	1 LSASS Driver	1 Abuse Elevation Control Mechanism	21 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	131 Native API	1 DLL Side-Loading	1 LSASS Driver	11 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	168 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	26 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	1 Clipboard Data	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	23 Service Execution	11 Scheduled Task/Job	11 Access Token Manipulation	1 Software Packing	LSA Secrets	61 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Registry Run Keys / Startup Folder	26 Windows Service	1 Timestomp	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	1 Services File Permissions Weakness	12 Process Injection	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	11 Scheduled Task/Job	3 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Registry Run Keys / Startup Folder	1 Valid Accounts	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	1 Services File Permissions Weakness	1 Modify Registry	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	151 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	12 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Hidden Files and Directories	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood
Identify Business Tempo	Botnet	Hardware Additions	Python	Hypervisor	Process Injection	1 Services File Permissions Weakness	Credential API Hooking	Domain Groups	Exploitation of Remote Services	Remote Email Collection	External Proxy	Transfer Data to Cloud Account	Reflection Amplification

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	47%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	100%	Avira	PUA/OfferCore.Gen

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\WeatherZero\WeatherZero.exe	0%	ReversingLabs
C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe	3%	ReversingLabs
C:\Program Files (x86)\WeatherZero\uninstall.exe	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\CSCompiler.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\DotNetDataCollector32.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\DotNetDataCollector64.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\CEJVMTI.dll (copy)	3%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\32\is-5VCS0.tmp	3%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\CEJVMTI.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-0JUIF.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector32.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\MonoDataCollector64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-397QA.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-BGU0I.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-UD451.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\ceregreset.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe (copy)	8%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\clibs32\is-AQQPT.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\clibs32\lfs.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\clibs64\is-701OU.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\clibs64\lfs.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\d3dhook.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\gtutorial-i386.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe (copy)	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-04JI4.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-1HAUB.tmp	8%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-1U45L.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-27N0B.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-4H8E2.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-5DOON.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-6LSG2.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-76J7R.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-7DIKH.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-7NK6B.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-7TSFI.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-81GE3.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-8G4IN.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-8HLKV.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-9UL4R.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-A30LA.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-A5OSQ.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-AATAN.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-AJB6K.tmp	3%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-ASU18.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-AUJ8A.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-BQRFH.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-ERBSE.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-FC05A.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-IM0FE.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-JBLAJ.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-KLETU.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-L37DV.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-L3GJI.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-LR956.tmp	0%	ReversingLabs
C:\Program Files\Cheat Engine 7.5\is-MRM89.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://sadownload.mcafee.com/n	0%	Avira URL Cloud	safe
https://www.reasonsecurity.com/safer-web/privacy-policy?utm_source=reason_safer_web_installer	0%	Avira URL Cloud	safe
https://reasonlabs.com/policiesiveEventeatherZero/images/969/EN.pngzipam	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/l	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/e	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/rsStubActivator.exe/	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/o	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png	0%	Avira URL Cloud	safe
https://home.mcafee.com/Root/AboutUs.aspx?id=eula	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/	0%	Avira URL Cloud	safe
https://localweatherfree.com/	0%	Avira URL Cloud	safe
https://www.premieropinion.com/common/termsofservice-v1	0%	Avira URL Cloud	safe
https://cheatengine.org/latestversion.txt	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/?	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/sa/bsi/win/binary/	0%	Avira URL Cloud	safe
https://beta.reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_suppo	0%	Avira URL Cloud	safe
https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordps://sadownload.mcafee.com/	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/v/wa-how.htmlL	0%	Avira URL Cloud	safe
https://localweatherfree.com/forecastdT	0%	Avira URL Cloud	safe
https://www.360totalsecurity.com/en/license/Z	0%	Avira URL Cloud	safe
https://reasonlabs.com/policiesr	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/5	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/0	0%	Avira URL Cloud	safe
https://reasonlabs.com/policiesq	0%	Avira URL Cloud	safe
https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pnge	0%	Avira URL Cloud	safe
https://cheatengine.org/dbkerror.phpopen	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngipe	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngc	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml	0%	Avira URL Cloud	safe
https://localweatherfree.com/forecastLnCZyJIT3VIHOjglwhzNosGx/9V1OxmW	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/ReasonLabs-Setup-Wizard.exe	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzip	0%	Avira URL Cloud	safe
https://localweatherfree.com/forecasttJ	0%	Avira URL Cloud	safe
https://www.winzip.com/win/en/privacy.html	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/en-us/policy/	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/v/wa-how.htmlf	0%	Avira URL Cloud	safe
https://www.opera.com/he/eula/computers	0%	Avira URL Cloud	safe
https://www.avg.com/ww-en/eulaM	0%	Avira URL Cloud	safe
https://www.winzip.com/win/en/privacy.htmlc	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip	0%	Avira URL Cloud	safe
https://localweatherfree.com/forecast32	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/914/	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.png	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/v/wa-how.htmlW	0%	Avira URL Cloud	safe
https://localweatherfree.com/forecastt&	0%	Avira URL Cloud	safe
https://localweatherfree.com/E	0%	Avira URL Cloud	safe
https://update.reasonsecurity.com/v2/update	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/	0%	Avira URL Cloud	safe
https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlB	0%	Avira URL Cloud	safe
https://reasonlabs.com/policiesrivacy-policyisor/files/1489/saBSI.zip	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pnga	0%	Avira URL Cloud	safe
https://www.cheatengine.org/	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/o	0%	Avira URL Cloud	safe
https://update.reasonsecurity.com/v2/live	0%	Avira URL Cloud	safe
https://analytics.apis.mcafee.com/	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/v1/bsi	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/en-us/policy/legal.htmlD	0%	Avira URL Cloud	safe
https://www.premieropinion.	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngc	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip2yhVX	0%	Avira URL Cloud	safe
https://github.com/dahall/taskscheduler	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/sa/bsi/win/binary	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/x	0%	Avira URL Cloud	safe
https://www.winzip.com/win/en/eula.html	0%	Avira URL Cloud	safe
https://www.reasonsecurity.com/vpn/terms?utm_source=reason_vpn_installer	0%	Avira URL Cloud	safe
https://www.patreon.com/cheatengineopenhttps://cheatengine.org/http://forum.cheatengine.org/	0%	Avira URL Cloud	safe
https://update-beta.reasonsecurity.com/v2/live	0%	Avira URL Cloud	safe
https://webcompanion.com/termsP	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/	0%	Avira URL Cloud	safe
https://www.nortonlifelock.com/us/en/legal/license-services-agreement/G	0%	Avira URL Cloud	safe
https://cheatengine.org/microtransaction.php?action=buy&amount=	0%	Avira URL Cloud	safe
https://system.data.sqlite.org/X	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzipam	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/	0%	Avira URL Cloud	safe
http://www.cheatengine.org/?referredby=CE%.2f	0%	Avira URL Cloud	safe
https://update-beta.reasonsecurity.com/v2/update	0%	Avira URL Cloud	safe
https://reasonlabs.com/policies	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/	0%	Avira URL Cloud	safe
https://d3cored83b0wp2.cloudfront.net/zbd	0%	Avira URL Cloud	safe
https://reasonlabs.com/policiesrivacy-policy88e10f08e18ca857b7883846325fInstaller_IC201102_ISV.zip	0%	Avira URL Cloud	safe
https://update.reasonsecurity.com/v2/livelive	0%	Avira URL Cloud	safe
https://www.avast.com	0%	Avira URL Cloud	safe
http://d14mh4uvqj4iiz.cloudfront.net	0%	Avira URL Cloud	safe
https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mosaic-orio.apis.mcafee.com	35.162.225.150	true	false	unknown
cheatengine.org	104.20.94.94	true	false	unknown
d3cored83b0wp2.cloudfront.net	18.173.206.112	true	false	unknown
localweatherfree.com	188.114.96.3	true	false	unknown
d14mh4uvqj4iiz.cloudfront.net	18.172.112.34	true	false	unknown
atom-production-collector-cyber-224812358.us-east-1.elb.amazonaws.com	3.230.219.225	true	false	unknown
shield.reasonsecurity.com	unknown	unknown	false	unknown
analytics.apis.mcafee.com	unknown	unknown	false	unknown
track.analytics-data.io	unknown	unknown	false	unknown
sadownload.mcafee.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://d3cored83b0wp2.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png	false	Avira URL Cloud: safe	unknown
https://cheatengine.org/latestversion.txt	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.png	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/o	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/zbd	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reasonlabs.com/policiesiveEventeatherZero/images/969/EN.pngzipam	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reasonsecurity.com/safer-web/privacy-policy?utm_source=reason_safer_web_installer	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/e	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sadownload.mcafee.com/o	saBSI.exe, 00000005.00000003.1894003745.000000000320F000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/n	saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://home.mcafee.com/Root/AboutUs.aspx?id=eula	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172217386.0000000004E71000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xml/	saBSI.exe, 00000005.00000003.1895622893.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sadownload.mcafee.com/l	saBSI.exe, 00000005.00000003.1895689100.000000000320D000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/rsStubActivator.exe/	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1844139575.0000000004EED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/	prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localweatherfree.com/	WZSetup.exe, 00000007.00000003.1994178474.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998636294.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1994867793.000000000075E000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000002.1998170408.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.premieropinion.com/common/termsofservice-v1	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D36000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.apis.mcafee.com:443/mosaic/2.0/product-web/am/v1/recordps://sadownload.mcafee.com/	saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054F9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/sa/bsi/win/binary/	saBSI.exe, 00000005.00000003.1975165861.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054EE000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2570621559.00000000054EE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beta.reasonlabs.com/contact-us?prod=2&utm_source=vpn_uninstall&utm_medium=home_contact_suppo	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/?	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localweatherfree.com/forecastdT	WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.360totalsecurity.com/en/license/Z	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1405939759.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1407943952.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000000.1409808513.0000000000401000.00000020.00000001.01000000.00000004.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000000.1892916012.0000000000401000.00000020.00000001.01000000.00000018.sdmp	false	URL Reputation: safe	unknown
https://www.mcafee.com/consumer/v/wa-how.htmlL	saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policiesr	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_abtest.xml	saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.000000000320E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policiesq	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.innosetup.com/	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1405939759.0000000002670000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe, 00000000.00000003.1407943952.000000007FB70000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000000.1409808513.0000000000401000.00000020.00000001.01000000.00000004.sdmp, CheatEngine75.exe, 0000000C.00000003.1884318482.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 0000000C.00000003.1888165639.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000000.1892916012.0000000000401000.00000020.00000001.01000000.00000018.sdmp	false	URL Reputation: safe	unknown
https://cheatengine.org/dbkerror.phpopen	cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/5	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/0	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngipe	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/platform/packages/essential?utm_source=rav_uninstall&utm_medium=home_website_	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pnge	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1864310516.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2124115026.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2150822703.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2463662036.0000000004EAC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WebAdvisor/images/943/EN.pngc	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localweatherfree.com/forecastLnCZyJIT3VIHOjglwhzNosGx/9V1OxmW	WZSetup.exe, 00000007.00000003.1992384218.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml	saBSI.exe, 00000005.00000003.2441868888.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451927696.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003213000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1882145312.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003210000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571518040.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.winzip.com/win/en/privacy.html	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzip	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/ReasonLabs-Setup-Wizard.exe	prod0.exe, 00000004.00000002.3283145627.000002A3D1801000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/eula#pc	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2456178236.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2460450691.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://localweatherfree.com/forecasttJ	WZSetup.exe, 00000007.00000003.1947310455.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mcafee.com/consumer/en-us/policy/	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006D27000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mcafee.com/consumer/v/wa-how.htmlf	saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avg.com/ww-en/eulaM	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.opera.com/he/eula/computers	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.winzip.com/win/en/privacy.htmlc	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localweatherfree.com/forecast32	WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/v1/installer/4.1.1/914/	saBSI.exe, 00000005.00000003.2441980925.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975037735.000000000320C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mcafee.com/consumer/v/wa-how.htmlW	saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://update.reasonsecurity.com/v2/update	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3283444796.0000019B3408C000.00000004.00000800.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://localweatherfree.com/forecastt&	WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	WZSetup.exe, WZSetup.exe, 00000007.00000000.1865545320.000000000040A000.00000008.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000002.1995533666.000000000040A000.00000004.00000001.01000000.00000012.sdmp, WZSetup.exe, 00000007.00000003.1994147598.0000000002841000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://localweatherfree.com/E	WZSetup.exe, 00000007.00000003.1907678051.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, WZSetup.exe, 00000007.00000003.1922914800.00000000007AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_DistributionRules.xmlB	saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	CheatEngine75.tmp, 0000000D.00000003.2017396988.00000000054D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.apis.mcafee.comhttps://analytics.qa.apis.mcafee.com/mosaic/2.0/product-web/am/v1/r	saBSI.exe, 00000005.00000002.2582593680.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp, saBSI.exe, 00000005.00000000.1845266666.0000000000F8E000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_PartnerDistribution.xml/	saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policiesrivacy-policyisor/files/1489/saBSI.zip	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pnga	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2455203792.0000000000A2A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com	prod0.exe, 00000004.00000002.3283145627.000002A3D18DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cheatengine.org/	CheatEngine75.exe, 0000000C.00000003.2042781311.00000000023A1000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 0000000D.00000003.2035583319.00000000023B1000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://update.reasonsecurity.com/v2/live	rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B0000.00000004.00000020.00020000.00000000.sdmp, rsSyncSvc.exe, 0000001E.00000002.3266265212.00000245547B7000.00000004.00000020.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.apis.mcafee.com/	saBSI.exe, 00000005.00000002.2583025617.000000000314E000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/v1/bsi	saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975835833.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mcafee.com/consumer/en-us/policy/legal.htmlD	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A61000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.premieropinion.	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2159882150.0000000006CB9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngc	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2172039331.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip2yhVX	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dahall/taskscheduler	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000002.3321945122.0000019B4CE52000.00000002.00000001.01000000.00000032.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/sa/bsi/win/binary	saBSI.exe, 00000005.00000003.2442104275.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1931229204.00000000054D6000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2571183671.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1975165861.00000000054D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/x	saBSI.exe, 00000005.00000003.1931266022.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.winzip.com/win/en/eula.html	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2171737967.00000000009E0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2154832567.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reasonsecurity.com/vpn/terms?utm_source=reason_vpn_installer	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/termsP	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000A79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://update-beta.reasonsecurity.com/v2/live	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.patreon.com/cheatengineopenhttps://cheatengine.org/http://forum.cheatengine.org/	cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/Win/binary/4.1.0/update_bsi_self.xml/	saBSI.exe, 00000005.00000003.1893113809.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1974949012.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2451252709.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2441868888.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1895689100.0000000003228000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1927510273.0000000003228000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/X	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nortonlifelock.com/us/en/legal/license-services-agreement/G	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2151300458.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2125493265.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cheatengine.org/microtransaction.php?action=buy&amount=	cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1863363539.0000000004F35000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.2059425218.0000000006A07000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://d3cored83b0wp2.cloudfront.net/f/WeatherZero/images/969/EN.pngzipam	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d3cored83b0wp2.cloudfront.net/	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1578782739.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508931587.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cheatengine.org/?referredby=CE%.2f	cheatengine-x86_64-SSE4-AVX2.exe, 0000002F.00000000.2098562119.0000000000CBF000.00000002.00000001.01000000.00000022.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policies	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000002.2464054224.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://update-beta.reasonsecurity.com/v2/update	3yq4abxg.exe, 00000006.00000003.1872499187.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, UnifiedStub-installer.exe, 0000000B.00000000.1874742651.0000019B322F2000.00000002.00000001.01000000.00000015.sdmp, Stub.exe, 00000020.00000003.2057681827.0000000002E30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/	saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://update.reasonsecurity.com/v2/livelive	rsSyncSvc.exe, 00000019.00000002.1921438935.0000019D7C68C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policiesrivacy-policy88e10f08e18ca857b7883846325fInstaller_IC201102_ISV.zip	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1607076503.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp, 00000002.00000003.1508883120.0000000000A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://d14mh4uvqj4iiz.cloudfront.net	prod0.exe, 00000004.00000002.3283145627.000002A3D18F4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sadownload.mcafee.com/products/SA/BSI/bsi_PaidDistribution.xml	saBSI.exe, 00000005.00000003.1916253547.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1985361133.0000000003215000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000002.2583025617.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893113809.000000000320C000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.2442884926.00000000031C9000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1916114316.0000000003212000.00000004.00000020.00020000.00000000.sdmp, saBSI.exe, 00000005.00000003.1893560349.0000000003212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	localweatherfree.com	European Union	13335	CLOUDFLARENETUS	false
18.173.206.112	d3cored83b0wp2.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
35.162.225.150	mosaic-orio.apis.mcafee.com	United States	16509	AMAZON-02US	false
3.230.219.225	atom-production-collector-cyber-224812358.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
18.172.112.34	d14mh4uvqj4iiz.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
104.20.94.94	cheatengine.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483536
Start date and time:	2024-07-28 00:40:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
Detection:	MAL
Classification:	mal46.troj.spyw.evad.winEXE@72/800@11/6
EGA Information:	Successful, ratio: 73.3%
HCA Information:	Successful, ratio: 64% Number of executed functions: 130 Number of non-executed functions: 194
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.22.242.105, 2.22.242.114, 104.18.21.226, 104.18.20.226, 2.19.126.150, 2.19.126.156
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, cdn.globalsigncdn.com.cdn.cloudflare.net, a866.dscd.akamai.net, ctldl.windowsupdate.com, secure.globalsign.com, fe3cr.delivery.mp.microsoft.com, global.prd.cdn.globalsign.com, home.mcafee.com, ocsp.digicert.com, sadownload.mcafee.com.edgesuite.net, ip-api.com, api.openweathermap.org
Execution Graph export aborted for target Stub.exe, PID 7800 because there are no executed function
Execution Graph export aborted for target Stub.exe, PID 7880 because there are no executed function
Execution Graph export aborted for target UnifiedStub-installer.exe, PID 7380 because it is empty
Execution Graph export aborted for target UnifiedStub-installer.exe, PID 7656 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Simulations

Behavior and APIs

Time	Type	Description
00:42:40	Task Scheduler	Run new task: EPPHealthCheck path: C:\Program Files\ReasonLabs\EPP\Uninstall.exe s>/auto-repair=UnifiedStub
18:43:29	API Interceptor	366x Sleep call for process: WeatherZeroService.exe modified
18:43:32	API Interceptor	90892x Sleep call for process: cheatengine-x86_64-SSE4-AVX2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_JULQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/v4mecse6/download
	Final Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.artfulfusionhub.lat/qogc/
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	DHL Shipment Notification 490104998009.xls	Get hash	malicious	Remcos	Browse	tny.wtf/dg4Zx
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Remcos	Browse	tny.wtf/c8lH8
	AWD 490104998518.xls	Get hash	malicious	Remcos	Browse	tny.wtf/sA
	waybill_shipping_documents_original_BL_CI&PL_26_07_2024_00000000_doc.xls	Get hash	malicious	GuLoader, Remcos	Browse	hq.ax/Oi8
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/dGa
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	Quotation.xls	Get hash	malicious	Remcos	Browse	tny.wtf/jjJsPX
18.172.112.34	SecuriteInfo.com.Trojan.InstallCore.4086.24549.19610.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mosaic-orio.apis.mcafee.com	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	54.71.68.83
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse	52.25.171.187
	https://www.poweriso.net/PowerISO8-x64.exe	Get hash	malicious	Unknown	Browse	52.26.85.137
atom-production-collector-cyber-224812358.us-east-1.elb.amazonaws.com	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	54.166.97.7
	https://www.poweriso.net/PowerISO8-x64.exe	Get hash	malicious	Unknown	Browse	54.225.153.117
	https://mozilla-firefox.fileplanet.com/download	Get hash	malicious	Unknown	Browse	54.85.139.85
	RAVUpdate-v5.2.12.0.exe	Get hash	malicious	Unknown	Browse	107.23.111.162
d14mh4uvqj4iiz.cloudfront.net	Lisect_AVT_24003_G1B_127.exe	Get hash	malicious	PureLog Stealer	Browse	18.172.112.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	https://chattts-49f1.beszyrecala.workers.dev/44251fe9-ad0f-4b4c-84e3-2d=	Get hash	malicious	Unknown	Browse	18.66.147.29
	https://chattts-49f1.beszyrecala.workers.dev/d710b28d-67f4-4fc6-8225-c3=	Get hash	malicious	Unknown	Browse	18.66.147.29
	https://help-add-metamask.gitbook.io/us	Get hash	malicious	Unknown	Browse	18.66.196.38
	https://auth-start-treizor.github.io/	Get hash	malicious	Unknown	Browse	18.165.142.126
	http://oveman-austral.com/	Get hash	malicious	Unknown	Browse	18.173.205.104
	http://capitalhillblue.com/	Get hash	malicious	Unknown	Browse	18.172.112.71
	https://bnpparibasfortis.centralapp.com/	Get hash	malicious	Unknown	Browse	18.165.183.97
	file.exe	Get hash	malicious	Unknown	Browse	18.65.39.85
	file.exe	Get hash	malicious	Unknown	Browse	18.66.196.17
CLOUDFLARENETUS	https://help-metsehelp.gitbook.io/us	Get hash	malicious	Unknown	Browse	172.64.147.209
	https://nishant800.github.io/netflixclone/	Get hash	malicious	HTMLPhisher	Browse	172.64.155.119
	https://chattts-49f1.beszyrecala.workers.dev/4f0cc84a-cc5d-4813-a6b3-3f=	Get hash	malicious	Unknown	Browse	172.67.196.219
	https://chattts-49f1.beszyrecala.workers.dev/44251fe9-ad0f-4b4c-84e3-2d=	Get hash	malicious	Unknown	Browse	104.16.119.9
	https://chattts-49f1.beszyrecala.workers.dev/627c9347-142c-4ee6-9449-ca=	Get hash	malicious	Unknown	Browse	172.64.154.107
	https://chattts-49f1.beszyrecala.workers.dev/c334d550-f2d5-4302-b1a8-b3=	Get hash	malicious	Unknown	Browse	172.64.154.107
	https://chattts-49f1.beszyrecala.workers.dev/2af31485-176d-4e5a-9006-e1=	Get hash	malicious	Unknown	Browse	172.64.154.107
	https://chattts-49f1.beszyrecala.workers.dev/d710b28d-67f4-4fc6-8225-c3=	Get hash	malicious	Unknown	Browse	104.16.119.9
	https://help-add-metamask.gitbook.io/us	Get hash	malicious	Unknown	Browse	172.64.146.167
	https://dsfdgfhjkjkhjgfnmbvbjn.pages.dev/atttt	Get hash	malicious	HTMLPhisher	Browse	172.66.44.60
AMAZON-02US	https://nishant800.github.io/netflixclone/	Get hash	malicious	HTMLPhisher	Browse	54.229.239.201
	https://mvosovsky.wixsite.com/my-site-1	Get hash	malicious	Unknown	Browse	99.86.4.105
	https://chattts-49f1.beszyrecala.workers.dev/44251fe9-ad0f-4b4c-84e3-2d=	Get hash	malicious	Unknown	Browse	35.163.144.222
	https://chattts-49f1.beszyrecala.workers.dev/c334d550-f2d5-4302-b1a8-b3=	Get hash	malicious	Unknown	Browse	108.156.60.38
	https://chattts-49f1.beszyrecala.workers.dev/d710b28d-67f4-4fc6-8225-c3=	Get hash	malicious	Unknown	Browse	52.85.49.6
	https://help-add-metamask.gitbook.io/us	Get hash	malicious	Unknown	Browse	65.9.86.18
	https://dsfdgfhjkjkhjgfnmbvbjn.pages.dev/atttt	Get hash	malicious	HTMLPhisher	Browse	108.128.31.255
	https://auth-start-treizor.github.io/	Get hash	malicious	Unknown	Browse	18.244.20.40
	http://get-verified--badge.vercel.app/	Get hash	malicious	Unknown	Browse	76.76.21.22
AMAZON-AESUS	https://mvosovsky.wixsite.com/my-site-1	Get hash	malicious	Unknown	Browse	44.221.136.44
	https://chattts-49f1.beszyrecala.workers.dev/44251fe9-ad0f-4b4c-84e3-2d=	Get hash	malicious	Unknown	Browse	34.193.38.76
	https://chattts-49f1.beszyrecala.workers.dev/627c9347-142c-4ee6-9449-ca=	Get hash	malicious	Unknown	Browse	34.193.38.76
	https://chattts-49f1.beszyrecala.workers.dev/c334d550-f2d5-4302-b1a8-b3=	Get hash	malicious	Unknown	Browse	34.206.213.104
	https://chattts-49f1.beszyrecala.workers.dev/d710b28d-67f4-4fc6-8225-c3=	Get hash	malicious	Unknown	Browse	54.144.124.14
	https://help-add-metamask.gitbook.io/us	Get hash	malicious	Unknown	Browse	3.226.143.229
	https://bnpparibasfortis.centralapp.com/	Get hash	malicious	Unknown	Browse	3.209.9.89
	APA Paper. currrent.Sp 19_0.pdf	Get hash	malicious	Unknown	Browse	34.237.241.83
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	44.218.48.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://mvosovsky.wixsite.com/my-site-1	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	https://chattts-49f1.beszyrecala.workers.dev/44251fe9-ad0f-4b4c-84e3-2d=	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	https://help-add-metamask.gitbook.io/us	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	http://get-verified--badge.vercel.app/	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	http://telegra-m.fit/	Get hash	malicious	Telegram Phisher	Browse	3.230.219.225 18.172.112.34
	http://cctv.hotmail.cloudns.org/	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	https://1108853.wcomhost.com/network/am/infospage.php/	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	http://business.ismettaiidentitysconfirms.com/meta-community-standard100066651404869/	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
	https://kaslasa.ru/	Get hash	malicious	Unknown	Browse	3.230.219.225 18.172.112.34
a0e9f5d64349fb13191bc781f81f42e1	nISHvSo9E2.exe	Get hash	malicious	Unknown	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	nISHvSo9E2.exe	Get hash	malicious	Unknown	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	YuQu Loader.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	Main.exe	Get hash	malicious	LummaC	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	7XU2cRFInT.exe	Get hash	malicious	Remcos, DBatLoader	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	Setup.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse	18.173.206.112 35.162.225.150 18.172.112.34
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	18.173.206.112 35.162.225.150 18.172.112.34
37f463bf4616ecd445d4a1937da06e19	777.exe	Get hash	malicious	Stealc, Vidar	Browse	104.20.94.94 188.114.96.3
	AacAmbientLighting.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	SecuriteInfo.com.Trojan.Siggen19.37568.5083.12845.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	SecuriteInfo.com.Win32.TrojanX-gen.29632.18649.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	AacAmbientLighting.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	104.20.94.94 188.114.96.3
	d34e1p5zD2.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	Mu7iyblZk8.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3
	Ycj3d5NMhc.exe	Get hash	malicious	Unknown	Browse	104.20.94.94 188.114.96.3

Process:	C:\Users\user\AppData\Local\Temp\is-H908U.tmp\prod2_extract\WZSetup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	447488
Entropy (8bit):	6.049704714571602
Encrypted:	false
SSDEEP:	12288:Pf2wvmWyF2kVbFNCK9FGFMSvmEzBIyDInI:19yFpbfcFBIyDInI
MD5:	E346FCECD037F0BE2777231949977587
SHA1:	50E571B3AEA31DB3DF2610A1CA4DFC94612A2CC4
SHA-256:	EFD8CF9A3BC2AB4E15FA33D42771E18D78539759CBF30652DF4C43E6825CE5F0
SHA-512:	FFC183626899D1AD1806786BC95C4809AAB3947C78FBFDB38A01D312F2F679DC7DC82F8389074CBCC470D055982CFC370D482FF4D0B3B91532CA409B1FCA32A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^W.........." ..0.............&.... ........... .......................@......y.....@.....................................O.......d.................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...d...........................@..@.reloc....... ......................@..B........................H.......d...`...............X.............................................(......(8..."..(9.....(...."..(....&...(....&...(....F...(.......s......{...."..}......{...."..}....V.(......(......(.......}".....(....}%.....}#.....}$.....0..E........{"......YE................+..{$...o.....X.{#...j(.....Xr...ps....z....0...........{"......YE........R...R....{$.....~!...o......!.r...po....&..o....&.r...po....&.o.....1....o....&..o....&*..[o....&..{#...o....&..]o....&

Process:	C:\Users\user\AppData\Local\Temp\is-70Q5G.tmp\CheatEngine75.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33688
Entropy (8bit):	7.20956664617613
Encrypted:	false
SSDEEP:	768:zVYdpNkp9TvDXy2XmVEV3GPkjVvDXy2ulqwVEV3GPkjL:zVY1+nCDOEECDbOEw
MD5:	4ACE42D6530AF699FEB2372F805A6A40
SHA1:	FB8C7352808F104E851468F25D0DD14A25B8CFCA
SHA-256:	13DCE393B59B9EF4A5D4FCDC27267D018B350BDC44A62AACC5DBC7F1DF7F7A1C
SHA-512:	8BB770F304CD8BA23FB2A64370D74AC3FDC134235FF39802983B9BABDE12AB00E49A746F3C2113520F0E135CDFD1473C0B4B64272279D13E576912126AA556D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0............."3... ...@....... ....................................`..................................2..O....@...................g...`...... 2..8............................................ ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........"..............................................................R..{....o.....o....&&...}......0............r...p(......,.....r...po.......8.....{.....o......{....r...p(........,..{.....{....o.....r;..p(.......{..........%...o......o....o...........,e....+F....o......o....o........(....rI..p.o......o....o....(....o........X.....o....o..........-...+....+....(.......s ...}.....{.....o!.....{.....o".....0............\|....(#.....,..\|....($....*....0..............(%..

Process:	C:\Users\user\AppData\Local\Temp\3yq4abxg.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158512
Entropy (8bit):	6.366328902517048
Encrypted:	false
SSDEEP:	3072:ixAyrpDDw+Quvmsd3xsVjxlppyYlDB5sqnjJHSGzj2:aAWDUuvmsd3GnjpyYlt5pa
MD5:	C70238BD9FB1A0B38F50A30BE7623EB7
SHA1:	17B1452D783ED9FAE8FF00F1290498C397810D45
SHA-256:	88FB2446D4EAC42A41036354006AFADFCA5ACD38A0811110F7337DC5EC434884
SHA-512:	DD77E5C5CF0BF76BA480EB4682C965D0030171A7B7A165A6D1C3BA49895BC13388D17DDBB0FE3AC5D47B3D7D8110942C0D5B40E2FE3DF0A022E051696EC4FEB6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)...b...,...b.......b...#...)...(...............'.......8...b......)...t...C.9.......+.......(.....g.(.......(...Rich)...........PE..d...B.Uf.........." ...'.d................................................................`.............................................T.......(............`.......6..05......P.......p...........................@...@...............`............................text...pc.......d.................. ..`.rdata..............h..............@..@.data...p<... ......................@....pdata.......`......................@..@_RDATA.............................@..@.rsrc................,..............@..@.reloc..P...........................@..B........................................................................................................................................................................................

Process:	C:\Program Files\ReasonLabs\Common\Stub\v6.0.1\Stub.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158512
Entropy (8bit):	6.366328902517048
Encrypted:	false
SSDEEP:	3072:ixAyrpDDw+Quvmsd3xsVjxlppyYlDB5sqnjJHSGzj2:aAWDUuvmsd3GnjpyYlt5pa
MD5:	C70238BD9FB1A0B38F50A30BE7623EB7
SHA1:	17B1452D783ED9FAE8FF00F1290498C397810D45
SHA-256:	88FB2446D4EAC42A41036354006AFADFCA5ACD38A0811110F7337DC5EC434884
SHA-512:	DD77E5C5CF0BF76BA480EB4682C965D0030171A7B7A165A6D1C3BA49895BC13388D17DDBB0FE3AC5D47B3D7D8110942C0D5B40E2FE3DF0A022E051696EC4FEB6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)...b...,...b.......b...#...)...(...............'.......8...b......)...t...C.9.......+.......(.....g.(.......(...Rich)...........PE..d...B.Uf.........." ...'.d................................................................`.............................................T.......(............`.......6..05......P.......p...........................@...@...............`............................text...pc.......d.................. ..`.rdata..............h..............@..@.data...p<... ......................@....pdata.......`......................@..@_RDATA.............................@..@.rsrc................,..............@..@.reloc..P...........................@..B........................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\Stub.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158512
Entropy (8bit):	6.366328902517048
Encrypted:	false
SSDEEP:	3072:ixAyrpDDw+Quvmsd3xsVjxlppyYlDB5sqnjJHSGzj2:aAWDUuvmsd3GnjpyYlt5pa
MD5:	C70238BD9FB1A0B38F50A30BE7623EB7
SHA1:	17B1452D783ED9FAE8FF00F1290498C397810D45
SHA-256:	88FB2446D4EAC42A41036354006AFADFCA5ACD38A0811110F7337DC5EC434884
SHA-512:	DD77E5C5CF0BF76BA480EB4682C965D0030171A7B7A165A6D1C3BA49895BC13388D17DDBB0FE3AC5D47B3D7D8110942C0D5B40E2FE3DF0A022E051696EC4FEB6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)...b...,...b.......b...#...)...(...............'.......8...b......)...t...C.9.......+.......(.....g.(.......(...Rich)...........PE..d...B.Uf.........." ...'.d................................................................`.............................................T.......(............`.......6..05......P.......p...........................@...@...............`............................text...pc.......d.................. ..`.rdata..............h..............@..@.data...p<... ......................@....pdata.......`......................@..@_RDATA.............................@..@.rsrc................,..............@..@.reloc..P...........................@..B........................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-QGAR3.tmp\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27406384
Entropy (8bit):	7.993410954401878
Encrypted:	true
SSDEEP:	786432:37YPcmlabhBx9CrdUxTvngF7oUNUQWQu7pquEKLR:rGTabv+CVYhoLXQ8BR
MD5:	E0F666FE4FF537FB8587CCD215E41E5F
SHA1:	D283F9B56C1E36B70A74772F7CA927708D1BE76F
SHA-256:	F88B0E5A32A395AB9996452D461820679E55C19952EFFE991DEE8FEDEA1968AF
SHA-512:	7F6CABD79CA7CDACC20BE8F3324BA1FDAAFF57CB9933693253E595BFC5AF2CB7510AA00522A466666993DA26DDC7DF4096850A310D7CFF44B2807DE4E1179D1A
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...^.......^.......p....@.................................".....@......@...................@....... .......p..................k...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3014144
Entropy (8bit):	6.393837791441553
Encrypted:	false
SSDEEP:	49152:fLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvu:dwSi0b67zeCzt0+yO3kS
MD5:	C47A946F3D41363C77CA4C719516E49B
SHA1:	01CB165E95FB6590F66673D25917B838C847BA8B
SHA-256:	32361DA66CBEDF8AC39A309427A132A1927350A38F1BC3F32F0EA78562B24848
SHA-512:	4520A1BF4754DCE663EE038FF34DE33B9BC73CDB93E3CB7674BBBC9096002664EDD6ADEE6257677277C6FDF48418BDECFB26C26D113E241EAB0A621A9A1888D7
Malicious:	false
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-.......................................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FB0F96E [Sun Nov 15 09:48:30 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/12/2022 01:00:00 14/12/2024 00:59:59
Subject Chain	CN=EngineGame, O=EngineGame, S=Tel Aviv, C=IL
Version:	3
Thumbprint MD5:	B057F334F42D0F37E84463F374A5B612
Thumbprint SHA-1:	9CD94C59500A37C757F126042A8CD752D0C7964D
Thumbprint SHA-256:	FAEC8CE72964F915A0FE531FDB46BBF6094F24246F654A9B2A08939A9D366C6F
Serial:	00FBD01E95FDDDDC33E3C218C60DA73E12

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1c955a0	0x1578
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	ad6e46e3a3acdb533eb6a077f6d065af	False	0.3448639341051532	data	6.356058204328091	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	d40fc822339d01f2abcc5493ac101c94	False	0.544921875	data	5.972750055221053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	4c195d5591f6d61265df08a3733de3a2	False	0.36097935267857145	data	5.044400562007734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	a73d686f1e8b9bb06ec767721135e397	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	41b8ce23dd243d14beebc71771885c89	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	37c1a5c63717831863e018c0f51dabb7	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x4800	0x4800	9f25ea605614c16e9bf3ed44e2511d8b	False	0.3160807291666667	data	4.4211085622066575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc74c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0xc75f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0xc7b58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0xc7e40	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0xc86e8	0x360	data			0.34375
RT_STRING	0xc8a48	0x260	data			0.3256578947368421
RT_STRING	0xc8ca8	0x45c	data			0.4068100358422939
RT_STRING	0xc9104	0x40c	data			0.3754826254826255
RT_STRING	0xc9510	0x2d4	data			0.39226519337016574
RT_STRING	0xc97e4	0xb8	data			0.6467391304347826
RT_STRING	0xc989c	0x9c	data			0.6410256410256411
RT_STRING	0xc9938	0x374	data			0.4230769230769231
RT_STRING	0xc9cac	0x398	data			0.3358695652173913
RT_STRING	0xca044	0x368	data			0.3795871559633027
RT_STRING	0xca3ac	0x2a4	data			0.4275147928994083
RT_RCDATA	0xca650	0x10	data			1.5
RT_RCDATA	0xca660	0x2c4	data			0.6384180790960452
RT_RCDATA	0xca924	0x2c	data			1.25
RT_GROUP_ICON	0xca950	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0xca990	0x584	data	English	United States	0.26416430594900847
RT_MANIFEST	0xcaf14	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2024 00:41:53.855119944 CEST	64789	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:41:53.867531061 CEST	53	64789	1.1.1.1	192.168.2.8
Jul 28, 2024 00:42:20.343059063 CEST	59999	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:42:20.361080885 CEST	53	59999	1.1.1.1	192.168.2.8
Jul 28, 2024 00:42:33.273329020 CEST	60729	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:42:33.280864000 CEST	53	60729	1.1.1.1	192.168.2.8
Jul 28, 2024 00:42:35.560033083 CEST	51103	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:42:37.006407022 CEST	63469	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:42:37.013734102 CEST	53	63469	1.1.1.1	192.168.2.8
Jul 28, 2024 00:42:40.053639889 CEST	49960	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:42:40.064867020 CEST	53	49960	1.1.1.1	192.168.2.8
Jul 28, 2024 00:43:10.191824913 CEST	52797	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:43:10.202039957 CEST	53	52797	1.1.1.1	192.168.2.8
Jul 28, 2024 00:43:17.458931923 CEST	50678	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:43:17.468035936 CEST	53	50678	1.1.1.1	192.168.2.8
Jul 28, 2024 00:43:37.941819906 CEST	49547	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:43:40.266699076 CEST	60567	53	192.168.2.8	1.1.1.1
Jul 28, 2024 00:43:40.276721001 CEST	53	60567	1.1.1.1	192.168.2.8
Jul 28, 2024 00:43:56.459935904 CEST	53205	53	192.168.2.8	1.1.1.1

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:41:54 UTC	233	OUT	POST /o HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 125 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:41:54 UTC	125	OUT	Data Raw: 7b 22 70 72 76 22 3a 20 22 30 2e 31 22 2c 22 70 6c 76 22 3a 20 22 31 2e 33 34 2e 33 2e 38 33 34 31 22 2c 22 6c 22 3a 20 22 65 6e 22 2c 22 61 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 69 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 73 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 6f 22 3a 20 22 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 22 7d Data Ascii: {"prv": "0.1","plv": "1.34.3.8341","l": "en","a": "cheatengine","i": "cheatengine","s": "cheatengine","o": "10.0.19045.2006"}
2024-07-27 22:41:55 UTC	490	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 11056 Connection: close Server: awselb/2.0 Date: Sat, 27 Jul 2024 22:41:55 GMT cache-control: no-cache x-true-request-id: 489cebea-a7db-46ad-b1a6-942946f2cdbf x-robots-tag: none expires: Thu, 01 Jan 1970 00:00:00 GMT X-Cache: Miss from cloudfront Via: 1.1 43be4ee3b8e339e1d27addbbdc49a4d4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: Qb58WEA_3Gqs-6jnPQq68j4nvXKK1FUluQ0dM_-v7LktsuI9s1siWg==
2024-07-27 22:41:55 UTC	7895	IN	Data Raw: 7b 22 76 22 3a 22 30 2e 31 22 2c 22 6c 22 3a 22 55 53 22 2c 22 69 22 3a 7b 22 63 75 22 3a 22 22 2c 22 63 74 22 3a 22 22 2c 22 63 70 22 3a 22 22 2c 22 63 74 75 22 3a 22 22 2c 22 63 6c 22 3a 22 22 2c 22 63 68 22 3a 22 22 2c 22 63 61 22 3a 22 76 35 2e 38 33 22 2c 22 63 66 22 3a 22 22 2c 22 63 70 69 22 3a 22 22 2c 22 63 70 73 22 3a 22 22 2c 22 63 64 22 3a 22 22 2c 22 63 70 72 22 3a 22 22 2c 22 63 70 70 22 3a 22 22 2c 22 63 66 6c 22 3a 22 22 2c 22 63 6a 22 3a 22 2b 31 22 2c 22 63 62 22 3a 22 22 2c 22 63 6f 64 22 3a 22 22 2c 22 63 74 70 22 3a 22 22 2c 22 63 65 70 22 3a 22 22 7d 2c 22 66 22 3a 7b 22 6d 22 3a 33 2c 22 78 22 3a 22 32 30 32 35 2d 30 33 2d 31 33 54 32 32 3a 34 31 3a 35 35 2e 32 33 37 5a 22 2c 22 61 22 3a 22 63 64 63 32 22 2c 22 64 22 3a 22 38 39 22 Data Ascii: {"v":"0.1","l":"US","i":{"cu":"","ct":"","cp":"","ctu":"","cl":"","ch":"","ca":"v5.83","cf":"","cpi":"","cps":"","cd":"","cpr":"","cpp":"","cfl":"","cj":"+1","cb":"","cod":"","ctp":"","cep":""},"f":{"m":3,"x":"2025-03-13T22:41:55.237Z","a":"cdc2","d":"89"
2024-07-27 22:41:55 UTC	3161	IN	Data Raw: 6f 22 3a 22 41 56 41 53 54 22 7d 2c 22 70 73 22 3a 7b 22 69 22 3a 22 41 56 41 53 54 2f 69 6d 61 67 65 73 2f 44 4f 54 50 53 2d 31 35 31 31 2f 35 34 37 58 32 38 30 2f 45 4e 2e 70 6e 67 22 2c 22 64 6e 22 3a 22 41 76 61 73 74 20 41 6e 74 69 76 69 72 75 73 22 2c 22 75 22 3a 22 41 56 41 53 54 2f 66 69 6c 65 73 2f 63 6f 6f 6b 69 65 5f 6d 6d 6d 5f 69 72 73 5f 70 70 69 5f 30 30 35 5f 38 38 38 5f 61 2e 7a 69 70 22 2c 22 70 22 3a 22 2f 73 69 6c 65 6e 74 20 2f 77 73 20 2f 70 73 68 3a 7b 70 78 6c 7d 22 2c 22 72 76 64 22 3a 5b 22 48 4b 4c 4d 5c 5c 53 59 53 54 45 4d 5c 5c 43 75 72 72 65 6e 74 43 6f 6e 74 72 6f 6c 53 65 74 5c 5c 43 6f 6e 74 72 6f 6c 5c 5c 53 65 73 73 69 6f 6e 20 4d 61 6e 61 67 65 72 5c 5c 45 6e 76 69 72 6f 6e 6d 65 6e 74 5c 5c 50 52 4f 43 45 53 53 4f 52 Data Ascii: o":"AVAST"},"ps":{"i":"AVAST/images/DOTPS-1511/547X280/EN.png","dn":"Avast Antivirus","u":"AVAST/files/cookie_mmm_irs_ppi_005_888_a.zip","p":"/silent /ws /psh:{pxl}","rvd":["HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\PROCESSOR

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:41:56 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 276 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:41:56 UTC	276	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 31 5c 22 2c 5c 22 37 5c 22 3a 5c 22 31 2e 33 34 2e 33 2e 38 33 34 31 5c 22 2c 5c 22 31 35 5c 22 3a 30 2c 5c 22 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"\",\"18\":\"\",\"19\":\"\",\"21\":\"133\",\"6\":\"1\",\"7\":\"1.34.3.8341\",\"15\":0,\"
2024-07-27 22:41:56 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:41:56 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 ba01631fe255b1896a9e6bfd4c86a06a.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: H8RG2toid98Cyh6kW9jXESMyFFlCo207lwdnz37BevfAkXNOJoQJ9w==
2024-07-27 22:41:56 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:41:57 UTC	149	OUT	GET /f/RAV_Triple_NCB/images/DOTPS-855/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:41:57 UTC	571	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 75974 Connection: close Last-Modified: Sun, 11 Sep 2022 12:56:32 GMT x-amz-meta-cb-modifiedtime: Sun, 11 Sep 2022 10:58:27 GMT x-amz-version-id: mCoh4hrlqpNiFIHFPwsLWmtCICuCsWOt Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 27 Jul 2024 04:21:35 GMT ETag: "cd09f361286d1ad2622ba8a57b7613bd" X-Cache: Hit from cloudfront Via: 1.1 f41688bac877227b82b3347b2428d266.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: Gzz3PGmFvlD9Ap82U3N6dPf-XRzwYuMbO3HmhfDnfZwqon8jOM1TiQ== Age: 70789
2024-07-27 22:41:57 UTC	15813	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 01 28 5b 49 44 41 54 78 01 ec bd 0b 9c 1d 55 95 2f fc 3f dd 9d a4 11 30 27 f2 48 00 25 95 41 24 0a 4e 9f cc e0 10 74 a0 2b d7 ab 20 dc 31 8d 8e 02 de ab 5d ed 38 c2 c0 38 dd 11 d4 71 be 19 fa 44 9d 4f 51 98 74 3e 47 c0 b9 a3 7d 5a ee 88 78 d5 74 0b 28 e0 9d db d5 e0 23 11 86 9c f0 d0 c4 0c 93 0a 02 76 46 30 27 3c 3b 21 dd e7 3b ab 6b af ec 5d fb 54 d5 a9 f3 ea ee 74 f6 ff f7 ab 5f 55 ed e7 da 6b af bd f6 da 8f da 05 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 Data Ascii: PNGIHDRh(pHYssRGBgAMAa([IDATxU/?0'H%A$Nt+ 1]88qDOQt>G}Zxt(#vF0'<;!;k]Tt_Uk
2024-07-27 22:41:58 UTC	12969	IN	Data Raw: e6 06 cc c3 3f 15 36 c3 e0 a5 46 ec 25 08 57 2f 33 a3 e2 a7 63 fc 2b 8d aa 1b 51 c1 0e 1a 83 b4 76 d7 fd 88 d6 dd 9a 3b 8d ce f2 68 cc 12 44 a1 c2 7b ad f0 d0 18 70 19 c3 78 e0 a1 3a a8 c6 22 dd 69 66 9f 46 be ea 47 5a 16 7c 65 44 1d 9b a3 c4 a5 fc 6d 04 47 ed 3c cb 4b ef dd 48 fe b1 e2 08 64 87 d4 87 e8 6d 10 03 55 a4 49 a0 f2 ad 17 34 55 3b 48 71 c5 5d 55 8a 3a 3a 50 df 07 99 b1 68 5b b8 a8 bd b5 a5 e5 ca 63 16 1f b7 8c 36 dc 1e 93 3e 2e 20 8b a5 f7 fc 09 2b 4e 0f 3d d9 e0 de af 5d bf 9a 3e 50 a3 3d bb f4 4e c6 6f e9 ca db 97 5f 9d bf b9 ef 92 2b d4 19 d4 57 1d 9b 2e e8 69 bf 66 e9 6b c7 8f 4e 1f 3f f1 ca c4 cb 33 fe c3 8a 37 bd ed 9d 5e c9 e0 c5 d6 1f 7d 77 7a ef 2d 19 f6 e7 fc b7 ca 1f b9 f1 f6 0b 9a 91 5e 6a bd 61 fb 71 27 59 7b 4e 3a ed 4d bb 1f bc Data Ascii: ?6F%W/3c+Qv;hD{px:"ifFGZ\|eDmG<KHdmUI4U;Hq]U::Ph[c6>. +N=]>P=No_+W.ifkN?37^}wz-^jaq'Y{N:M
2024-07-27 22:41:58 UTC	16384	IN	Data Raw: d5 f7 a2 a3 5f 5d d8 ff e2 73 69 eb cd 7f b4 d9 be f4 ea 7c dc 71 66 ff e5 43 7d 85 fc ff f9 1e f3 41 95 fd b0 bd d4 1e 64 9f c3 5b 1b d8 48 72 51 19 ae c8 67 2b 7c 3e 86 c9 12 b9 11 cf f3 8a 1b d1 93 41 63 b6 52 64 21 3f b0 f5 e0 b7 7b aa 8b 9c f0 d7 fb 27 02 b7 0b 8a 4b 6d 86 65 88 2e 96 11 bb 4e fa 46 44 1a 7a 1f ce ed 50 a7 27 27 9e e9 ce df 2b 10 c6 50 fd c0 40 d5 07 8e e6 46 c8 42 f6 61 3c 68 19 46 75 fb ed c3 e0 41 0e a2 59 a7 e6 84 9f 0b bf 5f da 20 2e 0f e5 1f 4f 73 bf dd 05 bf df 56 eb 8e c2 5b a8 be 6f a3 b0 7a 1d 33 1d 24 37 f9 84 69 a8 7d 3e 97 67 5e 22 05 83 24 60 21 f7 34 77 07 be 12 25 03 da 12 6e 5e 44 1a 95 fc ab a5 87 50 cf 88 b5 52 fa dc b1 16 22 fc f5 fc 2d 71 f7 50 7d 9a 95 ca 53 89 9e d9 40 1c 0f 6a a1 b3 96 32 5a e2 ee 55 e9 97 24 Data Ascii: _]si\|qfC}Ad[HrQg+\|>AcRd!?{'Kme.NFDzP''+P@FBa<hFuAY_ .OsV[oz3$7i}>g^"$`!4w%n^DPR"-qP}S@j2ZU$
2024-07-27 22:41:58 UTC	16384	IN	Data Raw: 6b c7 bc e6 84 71 3a 7b f7 5d 57 fc 4d e4 36 b8 a9 54 aa 30 d0 b3 26 89 71 18 46 7b a5 ce 9e 8d 20 5d df f0 92 3c f1 3f 07 c9 f7 2c e4 76 09 d6 77 2e a2 eb 29 87 ea 75 a5 8e 4b 20 8f 9c f3 44 7a c4 af be 84 f1 55 f9 70 34 37 42 16 c1 13 11 74 79 8d 4a d3 45 70 8f 2f eb 9b 46 19 8f 1e fc 36 a6 b6 77 08 37 2f 22 8e 5a 9f 14 46 af 0f 5d 7f 30 1f a2 d2 ab 16 49 ec 16 bd 3e d3 28 ff e0 90 64 25 83 e4 75 cc 70 51 7d 5f 35 ef 90 c2 e1 0d 4b dc 3d 34 16 56 85 74 d9 9f 47 66 71 70 e0 0b 59 12 e3 26 0d b9 bc 54 8b 22 67 58 55 a6 61 89 7b 58 9c 5a 69 b2 c4 dd 4b 10 96 14 2a 9f 08 51 09 4c 4f 54 da 56 8c 5f a3 41 8a a7 a0 e5 95 85 df f1 ad 8a 89 c7 65 f0 50 1d 2c 71 f7 d0 5c a4 df ff d7 1b fb 16 9f 78 72 fb e2 e3 96 85 ce c6 3d fd f8 a3 e9 a3 d3 c7 4f 44 f9 57 85 29 Data Ascii: kq:{]WM6T0&qF{ ]<?,vw.)uK DzUp47BtyJEp/F6w7/"ZF]0I>(d%upQ}_5K=4VtGfqpY&T"gXUa{XZiK*QLOTV_AeP,q\xr=ODW)
2024-07-27 22:41:58 UTC	14424	IN	Data Raw: eb 54 d7 14 79 45 47 2b 1f 53 58 5a 19 fc 34 77 75 99 26 f5 d9 76 1b 87 27 aa 99 bf ff c3 57 51 7d fa cc b3 2e 3b 8c 65 80 56 4c 6f f9 a7 eb fa af 7c c5 eb 0f f0 9b 0d 68 85 96 fe 0e 25 fb 0d ad c6 2e 6c 59 98 37 b6 df 3d bc e3 35 0f dc 7f 5f 6d 83 79 da e1 c7 5c 60 ee 7e c6 f3 7f fe d0 a7 9a ef 18 2c 4a 9b f6 06 3f f2 ec 73 5b 67 d7 1e 93 91 a1 47 6f 78 e2 91 c7 5e f8 e4 ca ca 9f ca 75 d6 bc 91 3b 3d 75 d3 a6 6f 4f 1f 36 e7 3f f1 29 29 fb 5d 78 f1 b3 d3 db 6f 9e d8 4a 7b 85 79 e5 97 dc 1f f8 e1 f7 cf a4 95 6e 3f ef f9 f3 a9 73 1e bb e1 44 de fe c5 c0 a3 37 3e a9 63 b9 e8 fd ba 0f 3d f4 e3 0f 8d 0e 6e 0b 8d 8d c4 fe c6 70 13 74 13 9d 59 ac 3e 24 39 e1 2d 73 34 11 5f 63 f3 25 59 8a 90 2d d3 72 61 d0 79 fe 48 e0 56 c5 a6 6c 9c 71 e1 1f 1a 43 72 45 b3 0a 65 Data Ascii: TyEG+SXZ4wu&v'WQ}.;eVLo\|h%.lY7=5_my\`~,J?s[gGox^u;=uoO6?))]xoJ{yn?sD7>c=nptY>$9-s4_c%Y-rayHVlqCrEe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:41:58 UTC	139	OUT	GET /f/WebAdvisor/images/943/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:41:59 UTC	512	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 48743 Connection: close Last-Modified: Wed, 23 Nov 2022 15:50:00 GMT x-amz-version-id: RW9gnZViDqHn6sjOaRWUaFg5F2z0vnXM Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 27 Jul 2024 04:17:52 GMT ETag: "4cfff8dc30d353cd3d215fd3a5dbac24" X-Cache: Hit from cloudfront Via: 1.1 b44afb2a44376871c20edb8c123ed47c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: 67dOHuS6KbGqcqz7tgtQRP74j8YoIKFmYGh4mRhHvw6hwsLQO-sWlA== Age: 70790
2024-07-27 22:41:59 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 bd fc 49 44 41 54 78 01 ec bd bf b3 65 49 75 e7 bb ab 1b 01 c6 28 d4 0a 59 33 31 11 7d 71 c0 19 05 8d 60 14 a1 e7 74 e1 cf 04 8d 5a 83 c4 38 74 3b 78 33 c0 5f 40 e1 8c 33 06 30 de 7b 0e 45 84 22 80 26 1a 35 a1 67 8d 43 e1 bc 89 90 40 0d 92 25 9c 3e 72 84 35 a1 ea d0 18 42 02 ea ed 4f d5 fe dc 5e b5 2a f7 af 73 f6 b9 f7 dc 7b d6 37 e2 dc 7b ce fe 91 b9 72 e5 ca 95 2b 57 ae cc ec ba 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 Data Ascii: PNGIHDRh(pHYssRGBgAMAaIDATxeIu(Y31}q`tZ8t;x3_@30{E"&5gC@%>r5BO^*s{7{r+WBP(BP(BP(BP(BP(BP(
2024-07-27 22:41:59 UTC	16384	IN	Data Raw: 1a d0 99 67 8f c1 12 4f 58 f6 be 39 68 58 0b 63 f9 e0 27 65 a0 2c d4 c9 b1 3a 2b 68 cc 86 4a 5e 70 17 81 82 86 3f f2 d8 f0 93 35 de 42 43 2a 90 95 58 b7 f0 f0 10 c3 61 97 62 47 a5 a9 15 43 b9 1b 16 6f ea 09 33 56 3a 7a 4a 33 62 a7 e5 54 2e 1f d2 d1 20 3b 14 ce 0c 44 be f0 c9 5e fe 16 6d c8 08 1f bd 44 a6 97 eb 57 2f 53 34 26 5a 7c 1b 83 ed db b8 58 3a e8 8b 34 dd 1e d3 3b 74 5b 3f a1 c1 ab 71 eb ec 91 53 ca fb b4 b7 16 5a 3a c0 f6 1d eb 20 ea 96 31 9d 74 4c 64 9e 5a 0f c8 3b 3c 71 6a 3d eb 42 64 c9 36 a1 17 50 e4 c5 81 fb 22 4e d9 8b 39 4f ac 6d 88 fc e3 2c c5 58 7a d6 c9 98 51 bc af 2e c9 7c b5 ad 8c b5 bf 18 22 16 d3 88 7d 80 b3 30 71 cb c6 56 5f e9 7a 0d f5 3f f5 13 3d df 6b 60 de b1 fd ef 42 dc fb 6d 47 19 bc 85 49 d0 a0 6d b8 ae e0 9d f2 da d8 70 a3 Data Ascii: gOX9hXc'e,:+hJ^p?5BC*XabGCo3V:zJ3bT. ;D^mDW/S4&Z\|X:4;t[?qSZ: 1tLdZ;<qj=Bd6P"N9Om,XzQ.\|"}0qV_z?=k`BmGImp
2024-07-27 22:41:59 UTC	15975	IN	Data Raw: 82 48 e3 75 e8 3d 3c bb 1e 45 1e 77 77 f0 70 06 ee b1 8d 58 36 6e 6f 7a 3b 41 de 3c 88 e6 aa 8e ca 8e a8 be a0 30 85 f2 f0 9e 11 f2 34 8d e7 cd 3b 0d c5 27 4f 41 31 ad cc a8 d9 53 89 e2 7d 94 0b 1e 8c 38 5d 17 a7 a1 9d d2 32 7d 3c 00 ad 6b 00 3a 3c 89 86 ff f9 74 27 68 8e 74 7a 5c 22 ef 79 ac 68 6b fa 8a e7 72 5a 4e f3 8e 29 47 9e b7 4c 9e 30 93 a7 c9 a0 db 67 f8 1d cb 4d ba 91 d6 a5 47 f9 52 96 98 66 9c 4e 6b f1 7a ec 88 52 ca 47 fe 31 bd 58 06 00 fd f2 9b 67 48 7b 8c 1f f2 6b 2a bd 4c 5f e6 49 9c aa 35 bd 31 1e 22 1f 7c a7 7c ad 29 4f 4f dd ca e5 8f a1 2c 4e af 46 7e 45 7e b6 a6 83 a7 a6 88 f7 69 3b 11 96 23 e7 01 2f 6c 5f 99 67 f2 2d f2 28 4f 87 47 c8 57 e4 cd 3a ca 21 0d 71 da 59 9a 2d 4b e6 65 ab ae 0d 45 60 3b ba b1 a9 f7 39 f9 8f 21 0d f2 55 9a e5 Data Ascii: Hu=<EwwpX6noz;A<04;'OA1S}8]2}<k:<t'htz\"yhkrZN)GL0gMGRfNkzRG1XgH{k*L_I51"\|\|)OO,NF~E~i;#/l_g-(OGW:!qY-KeE`;9!U

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:00 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 352 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:00 UTC	352	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 63 6f 6d 70 61 6e 69 6f 6e 32 30 31 36 46 46 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 65 62 63 6f 6d 70 61 6e 69 6f 6e 46 46 5f 6e 65 77 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Webcompanion2016FF\",\"18\":\"ZB_WebcompanionFF_new\",\"19\":\"\",\"21\":\"133\",\"6\":
2024-07-27 22:42:00 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:00 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 e23d0cd26e88be416569e15d7299b25c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: 0XAtDpK4JOgr5MhGq5MA081uJXlrJSd7qfC-dTAt0L-eSiqABFVpzw==
2024-07-27 22:42:00 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:01 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 339 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:01 UTC	339	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 56 47 5f 41 56 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 56 47 5f 41 56 5f 54 72 75 73 74 50 69 6c 6f 74 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 37 5c 22 3a 5c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"AVG_AV\",\"18\":\"ZB_AVG_AV_TrustPilot\",\"19\":\"\",\"21\":\"133\",\"6\":\"2\",\"7\":\
2024-07-27 22:42:02 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:01 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 ba01631fe255b1896a9e6bfd4c86a06a.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: K4OWs_7FjiWPOoCp1YDyDFGKJkSZjXt1mqsuFS7xBCM01rNScmrSHQ==
2024-07-27 22:42:02 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\WeatherZero\Newtonsoft.Json.dll

C:\Program Files (x86)\WeatherZero\WeatherZero.exe

C:\Program Files (x86)\WeatherZero\WeatherZero.exe.config

C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe

C:\Program Files (x86)\WeatherZero\uninstall.exe

C:\Program Files (x86)\WeatherZero\wz.ico

C:\Program Files\Cheat Engine 7.5\CSCompiler.dll (copy)

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe (copy)

C:\Program Files\Cheat Engine 7.5\CheatEngine.chm (copy)

Windows Analysis Report
SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:03 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 344 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:03 UTC	344	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 43 6f 6d 70 61 6e 69 6f 6e 43 48 4f 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 43 43 48 4f 5f 6e 65 77 5f 49 53 56 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"WebCompanionCHO\",\"18\":\"ZB_WCCHO_new_ISV\",\"19\":\"\",\"21\":\"133\",\"6\":\"2\",\"
2024-07-27 22:42:03 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:03 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 e23d0cd26e88be416569e15d7299b25c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: htWkTYozJ6bj1kd0MsIElv5WKkwVIapoo6VaRMRNSf6nWka8JGYSCg==
2024-07-27 22:42:03 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:04 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 334 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:04 UTC	334	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 5c 22 2c 5c 22 37 5c 22 3a 5c 22 31 2e 33 34 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Avast_NCH\",\"18\":\"ZB_Avast_NCH\",\"19\":\"\",\"21\":\"133\",\"6\":\"2\",\"7\":\"1.34
2024-07-27 22:42:05 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:04 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 ba01631fe255b1896a9e6bfd4c86a06a.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: r3Wuwmo4AI7yo8LezXF0pWU06IdifpkmtjUm4xzM34fW9bv1vqO6PA==
2024-07-27 22:42:05 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:05 UTC	140	OUT	GET /f/WeatherZero/images/969/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:06 UTC	512	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 30586 Connection: close Last-Modified: Thu, 08 Dec 2022 12:37:43 GMT x-amz-version-id: MVrTExmvEQAJj6fAGLSH_gwH63ab4qxc Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 27 Jul 2024 22:24:40 GMT ETag: "9ac6287111cb2b272561781786c46cdd" X-Cache: Hit from cloudfront Via: 1.1 b44afb2a44376871c20edb8c123ed47c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: M5whfYqV0I98vY4hZ8wDFEQS0phjaXBrbvYJxEEiDdF_YySegXPzjQ== Age: 32717
2024-07-27 22:42:06 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 77 0f 49 44 41 54 78 01 ed bd 09 9c 5d 57 75 e6 bb 35 db 12 e0 12 24 a4 b1 8d 55 02 e7 e1 e9 21 89 04 92 74 9a 48 22 84 90 a1 23 39 09 79 49 27 d8 12 83 33 30 48 02 cc 0c 92 18 02 06 82 24 27 61 36 1a 92 ce 44 82 a4 4e 77 42 9a 04 c9 34 09 74 42 9e 24 9e b1 8d 27 95 07 08 84 07 92 30 c8 b2 64 bb 7a 7d 57 f7 2b 2f 2d ed 33 dc aa 5b 75 ef 3d f5 fd 7f bf 53 f7 0c 7b 58 7b ed 69 9d 7d f6 de 95 92 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 Data Ascii: PNGIHDRh(pHYssRGBgAMAawIDATx]Wu5$U!tH"#9yI'30H$'a6DNwB4tB$'0dz}W+/-3[u=S{X{i}B!B!B!B!B!B!B!B
2024-07-27 22:42:06 UTC	14202	IN	Data Raw: a8 0a af 4c 87 55 3a f0 e1 73 2a 0d 75 58 54 d7 72 e1 45 99 58 ce bd df 32 19 73 94 e5 75 ce 6d 2c c7 b9 34 4e a4 1c e5 ee 8d a7 7e 7a ff b9 f4 c4 76 aa ca 7d 8e b2 f4 d6 4d 1f 46 cd 30 1a 76 b8 c6 3f 8b 89 d3 a9 62 9d 8f e9 88 71 95 95 e9 a8 87 f1 a4 b9 6e 5d a7 ee 59 86 ea e8 bb ac cf 61 18 55 7d 56 a7 65 88 f3 52 73 ff b4 a4 4e bd a9 7b 8f f2 e5 d2 97 cb 47 52 96 77 45 6d 45 a4 93 36 8e e1 e4 ea 0d d3 e0 75 1c db 39 9e 4f 37 76 ed da 85 be 7b ca ed 4f 19 bc a2 ef 18 69 2f 80 19 c9 ec a6 40 68 f0 c6 b9 68 42 88 c1 84 06 00 16 82 e1 53 b8 16 f9 f4 0f c8 1b 7c fe c7 d4 01 bc 88 d4 79 11 10 a2 88 5e 19 bc 9a c3 2b 84 10 a2 e7 60 54 97 3b 7f c8 d8 ed 2f 30 c0 00 63 17 03 0c 32 76 c5 a0 a2 5d 1a 44 df 81 06 75 74 b4 7c 8a 4f 9d cf 9d 42 88 c1 01 9f c9 61 e8 Data Ascii: LU:s*uXTrEX2sum,4N~zv}MF0v?bqn]YaU}VeRsN{GRwEmE6u9O7v{Oi/@hhBS\|y^+`T;/0c2v]Dut\|OBa

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:21 UTC	124	OUT	GET /rsStubActivator.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: shield.reasonsecurity.com
2024-07-27 22:42:21 UTC	1137	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 33432 Connection: close Date: Sat, 27 Jul 2024 22:42:21 GMT ETag: W/"8298-amrWAj+eGria7Eoxd9BYFabjos0" Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 content-disposition: attachment; filename=rsStubActivator.exe X-Cache: Miss from cloudfront Via: 1.1 24c73aa8cdc4e254694e2ac7073f8aea.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA60-P8 X-Amz-Cf-Id: eJidjZZguskbh3FbhijMbPAB-2fz_Pz4XAhY96_jIw-r-R-n8AKqVA==
2024-07-27 22:42:21 UTC	1928	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a9 ef 9a d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 12 00 00 00 16 00 00 00 00 00 00 4e 31 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 88 4f 01 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0N1 @@ O`
2024-07-27 22:42:21 UTC	8192	IN	Data Raw: 59 04 e3 00 03 00 ec 20 00 00 00 00 96 00 d2 02 eb 00 06 00 18 23 00 00 00 00 91 00 ba 04 f1 00 07 00 a8 23 00 00 00 00 86 18 98 03 f7 00 08 00 00 00 01 00 99 02 00 00 02 00 7b 00 00 00 01 00 41 03 00 00 02 00 f1 04 00 00 03 00 22 02 00 00 01 00 11 04 00 00 01 00 3d 04 00 00 01 00 ad 02 00 00 02 00 c9 00 00 00 03 00 20 04 09 00 98 03 01 00 11 00 98 03 06 00 19 00 98 03 0a 00 29 00 98 03 10 00 31 00 98 03 10 00 39 00 98 03 10 00 41 00 98 03 10 00 49 00 98 03 10 00 51 00 98 03 06 00 59 00 98 03 15 00 61 00 98 03 10 00 b9 00 35 05 1a 00 b9 00 89 00 1d 00 71 00 f5 04 23 00 b9 00 86 02 27 00 b9 00 70 02 2b 00 b9 00 74 04 30 00 71 00 ff 04 10 00 c1 00 5f 02 3c 00 79 00 b9 02 42 00 79 00 c2 02 47 00 69 00 56 02 23 00 b9 00 74 04 69 00 71 00 98 03 10 00 c9 00 7a Data Ascii: Y ##{A"= )19AIQYa5q#'p+t0q_<yByGiV#tiqz
2024-07-27 22:42:21 UTC	3392	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 0c 00 00 00 50 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 0P1
2024-07-27 22:42:21 UTC	3198	IN	Data Raw: 16 04 14 68 37 e0 eb b6 3b f8 5f 11 86 fb fe 61 7b 08 88 65 f4 4e 42 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ec d7 e3 82 d2 71 5d 64 4c df 2e 67 3f e7 ba 98 ae 1c 0f 4f 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 03 30 77 06 08 2b 06 01 05 05 07 01 01 04 6b 30 69 30 24 06 08 2b 06 01 05 05 07 30 01 86 18 68 74 74 70 3a 2f 2f 6f 63 73 70 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 30 41 06 08 2b 06 01 05 05 07 30 02 86 35 68 74 74 70 3a 2f 2f 63 61 63 65 72 74 73 2e 64 69 67 69 63 65 72 74 2e 63 6f 6d 2f 44 69 67 69 43 65 72 74 54 72 75 73 74 65 64 52 6f 6f 74 47 34 2e 63 72 74 30 43 06 03 55 1d 1f 04 3c 30 3a 30 38 a0 36 a0 34 86 32 68 74 74 70 3a 2f 2f 63 72 6c 33 2e 64 69 67 69 63 65 72 74 2e 63 Data Ascii: h7;_a{eNB0U#0q]dL.g?O0U0U%0+0w+k0i0$+0http://ocsp.digicert.com0A+05http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0CU<0:08642http://crl3.digicert.c
2024-07-27 22:42:21 UTC	9594	IN	Data Raw: e2 9a 40 0e 8e 1e ba 19 0b 99 29 48 aa 28 d8 58 62 29 13 a0 bf 12 58 66 20 fa 41 70 d6 1d a7 88 83 d0 5f 61 ee f0 b1 82 e2 bc f2 2c 01 f6 8c 98 fc d6 8f 51 b3 a4 e4 7d 46 8a 91 b9 16 52 5d bf 71 2e 8b 2d 08 68 10 77 bd 6b cf e8 08 07 ca 98 17 18 92 6d 5a 37 66 54 57 d8 65 e2 7a f6 a3 05 65 f6 8a af 36 a3 df 5f 92 f5 d6 19 25 a7 e5 28 7a f6 51 f2 66 1d c6 4e e9 39 01 2a 49 3f 79 f9 15 c3 c4 43 38 ea b3 cb e2 a2 f4 55 fa af 7a 21 24 73 3b 73 7d 8a 7d e3 97 87 92 0e 4c 04 bd 85 5a 48 31 51 a4 5a e1 dd 23 57 5a 8a 4f ad 79 1d 58 e8 21 c7 03 29 aa c4 b6 ec 76 a4 42 05 71 8e d3 dd 21 48 54 80 c6 c1 7d ae 5e c2 77 40 0f ab 52 17 5d 4b 36 8c 98 08 70 8a 59 a6 b5 63 2f ae e0 5d 9d 2a aa f4 b9 15 19 b3 75 ab 6d 85 08 55 ae 3a b5 11 79 69 66 7a 52 df ea 5f 40 83 59 Data Ascii: @)H(Xb)Xf Ap_a,Q}FR]q.-hwkmZ7fTWeze6_%(zQfN9I?yC8Uz!$s;s}}LZH1QZ#WZOyX!)vBq!HT}^w@R]K6pYc/]umU:yifzR_@Y
2024-07-27 22:42:21 UTC	6396	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-07-27 22:42:21 UTC	732	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:22 UTC	142	OUT	GET /f/WebAdvisor/files/1489/saBSI.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:23 UTC	629	IN	HTTP/1.1 200 OK Content-Type: application/x-zip-compressed Content-Length: 527389 Connection: close Last-Modified: Tue, 26 Mar 2024 13:11:30 GMT x-amz-server-side-encryption: AES256 x-amz-meta-cb-modifiedtime: Tue, 26 Mar 2024 13:10:42 GMT x-amz-version-id: 7sn0EuMWH3aYiKrbA4lOPgyoNDAU9iIf Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 27 Jul 2024 12:06:07 GMT ETag: "f68008b70822bd28c82d13a289deb418" X-Cache: Hit from cloudfront Via: 1.1 43be4ee3b8e339e1d27addbbdc49a4d4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: lNShVom6fAPM3LjDRVe49HwTYFYzolcnt6v_kx5JLaz38crPY4q9pA== Age: 39397
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 9b 5c 7a 58 1c 99 c3 c5 a9 0b 08 00 80 11 12 00 09 00 00 00 73 61 42 53 49 2e 65 78 65 e4 5a 7f 70 54 d7 75 be 2b 69 a5 d5 8f 65 57 20 63 d9 c8 f1 da 26 8e 9a c1 92 6c a1 09 13 8b c9 82 59 5b 06 01 8b 2d 40 60 01 c2 08 f1 90 65 90 b1 b0 e5 16 3b 72 05 54 ab 95 1c 4d 4a 33 b4 61 dc 5d ad dc 68 3a 9a 56 46 3f d8 75 15 b3 c4 54 12 1d 1c 2b ad 9a 28 29 d3 ca 89 3b f3 1c d4 76 93 12 5b 76 15 d4 f3 9d fb f6 bd dd d5 92 e0 bf b3 03 f7 5d 9d f7 9d ef 9e 73 ee bd e7 fe d8 dd bc bb 5b a4 0a 21 d2 e8 ff c2 82 10 41 21 3f 4e f1 fb 3f 25 26 21 96 dc fb ce 12 31 94 f9 fe 7d 41 53 e5 fb f7 55 29 87 5f 74 34 1d 3b 7a e8 d8 fe e7 1d 07 f6 1f 39 72 b4 d9 f1 ec 41 c7 b1 e3 47 1c 87 8f 38 36 6c 7d da f1 fc d1 ba 83 45 56 6b d6 4a 8d e3 11 db 87 Data Ascii: PK\zXsaBSI.exeZpTu+ieW c&lY[-@`e;rTMJ3a]h:VF?uT+();v[v]s[!A!?N?%&!1}ASU)_t4;z9rAG86l}EVkJ
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: d4 86 29 b5 21 4a 6d 20 dd dc 3f cd bc a4 c3 4c 4d cb 4b 26 b6 e9 52 33 78 49 ff 71 23 35 c9 4b 06 78 6a cd 94 5a 13 a5 16 48 b7 3c 4c 33 2f 59 bc 4d a6 a6 e5 25 67 68 53 33 78 c9 3b 8f 19 a9 49 5e 32 cc 53 eb a5 d4 7a 28 b5 70 ba 15 64 9a 79 c9 eb 7b 65 6a 7b 1c 9a d4 ca 7a 75 a9 19 bc e4 da 01 23 b5 f4 bc e4 90 e4 25 87 38 2f 39 2c 79 c9 84 e0 25 4f 1d 4b cf 4b 36 6e c5 1b 5b 2c 42 ff b2 35 cd 22 f4 e7 37 31 8d fb 3f 9f 99 81 97 cc f1 08 5e 32 b6 d1 d8 1d 66 67 3a 73 d9 8f e4 a7 5b 52 79 49 57 a7 b1 1d 8c ab bc b8 ea 95 2d 13 f3 92 0b 3d 82 97 6c 31 6c 7d b0 bd 1e b6 2b b6 68 f7 63 06 b7 f2 e5 8c 78 c9 80 47 f0 92 8d 78 12 e0 3d 9d c2 4b 26 3a b1 e3 0b c9 79 5b d0 20 b6 fd 12 85 97 f4 75 19 54 83 07 fb 25 4d 30 b9 62 8b 6d bf 64 11 f9 27 5e 32 2c 9f e7 Data Ascii: )!Jm ?LMK&R3xIq#5KxjZH<L3/YM%ghS3x;I^2Sz(pdy{ej{zu#%8/9,y%OKK6n[,B5"71?^2fg:s[RyIW-=l1l}+hcxGx=K&:y[ uT%M0bmd'^2,
2024-07-27 22:42:23 UTC	2410	IN	Data Raw: be cb 8f ff db b1 fd 37 c7 f5 ff ed c1 e3 9f fc 7f 35 fe cd 38 fe df bf cc f8 ef 55 c7 ff 6d 65 fc c7 c5 8f 7f 91 9a 74 6a 6e 34 36 6b 16 71 58 31 9b 20 e8 85 96 62 57 65 0d aa 33 c0 78 40 4c cd 72 d1 94 71 c0 23 e1 a7 cd 15 12 13 3d 21 d1 1c 12 8d 85 c5 54 07 fa 22 79 c6 86 7e 02 ff de 34 d2 0c 7c 2f bd 8d ea 27 28 4e e9 c4 18 7a cb a8 9f 8e d8 fe d3 24 4c 57 d5 80 db f8 ab 2c 92 63 37 62 fa 08 a8 67 a0 3f b1 2d ed f8 e3 42 3d 4a 88 64 b5 65 62 8f bd 47 34 60 82 d0 d6 a0 9e e4 25 92 02 ab c7 ed 42 cb d6 1f 31 ae 0b 24 e3 56 c9 b9 77 c3 25 2e 09 04 ca d9 67 4c 66 a7 d5 94 dc 68 9a 9f b0 b5 17 f3 44 df 95 50 0d df ab d2 64 47 1b 2c 5f 67 4c 63 8c 36 ba a4 1e 40 73 b4 bd b5 f5 29 0d f7 0b dc 5b d4 f4 97 f6 94 a6 ff 68 f8 b9 c8 71 18 1f e9 dc ab 03 e9 d6 df Data Ascii: 758Umetjn46kqX1 bWe3x@Lrq#=!T"y~4\|/'(Nz$LW,c7bg?-B=JdebG4`%B1$Vw%.gLfhDPdG,_gLc6@s)[hq
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 17 2f 67 bd 94 4e bf 80 27 bd fc 02 ba 65 2c 46 ac 67 d4 ff 37 36 fc fa 58 83 9a 6a c8 8e a9 86 ee f1 0a b4 ce 68 18 90 6a e8 a9 37 d5 54 43 66 b5 31 b8 0e e8 d3 a0 7a e9 5e fa 9c 5a 6d 36 ab 76 49 fd 5f b0 da 4d 58 ed 09 da f7 7b 5c ae 1b 64 c7 66 17 cd 7c 2b 81 f3 8e 82 25 51 2a dd 2d 57 ed fd ea 25 e8 ec 13 02 60 55 7a 02 58 f0 66 e8 a0 8b 26 c2 33 98 1e 8f 25 75 22 62 43 49 89 a8 23 b9 40 4f 9b dd c5 2e da 48 43 21 29 87 25 a4 2a ae 6c 07 51 81 62 f0 af 94 63 56 ee 1c c1 3b ef 32 45 c7 26 e5 58 b0 1e 9f 8d 15 79 ef a4 3f 60 6a 5e 8e 51 f9 9d 4a 4b d9 73 a0 22 34 04 cd 24 37 ad 82 b0 52 92 3b d5 b4 13 af ae a2 4f 5d cd 72 47 a2 63 d9 54 9b 70 3e 14 6a 56 dc 88 61 37 66 1c 19 2a 7e c4 f0 5f 7a 43 13 3f 28 6b 18 71 98 d3 f7 bb 30 69 98 e4 ec 53 72 86 29 Data Ascii: /gN'e,Fg76Xjhj7TCf1z^Zm6vI_MX{\df\|+%Q-W%`UzXf&3%u"bCI#@O.HC!)%lQbcV;2E&Xy?`j^QJKs"4$7R;O]rGcTp>jVa7f*~_zC?(kq0iSr)
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 6b 84 09 70 37 c8 8a c4 5a b6 e3 1a 54 2d 6a 53 8b fc ec 4b 39 c9 55 c5 3c 55 6a 51 b3 ea e9 e8 5a c4 ba d1 73 3d 2f e7 82 43 a8 a7 c3 dd aa 1f 96 f4 d9 f0 b0 e4 e8 95 a6 ac 79 e1 0b cc 53 36 bd d2 eb b0 9e 92 9b 5f bd 12 f3 df 5a c9 31 55 5d 1d 5d fd d2 cf 40 df 98 22 eb a9 82 b5 52 7b 31 ff e5 5b 7a 8b 44 d6 a2 e6 89 17 c1 e2 ac 59 89 58 f8 09 fc d7 45 b5 54 be 80 d6 c8 98 ad f5 20 6a e3 4e e7 0e ef 39 eb bc 51 5a a6 15 0c ba ea f2 7f f4 93 11 b8 79 5a 25 67 d5 95 a9 0e 4b 5d b6 c5 0a 2b 47 3f 5b 54 cb 5c 30 a2 b6 ce 9b cd 55 2d de 29 2f 41 30 05 b8 1b d6 47 b0 38 dc 27 3f 13 14 8b 5b e1 97 a7 e2 74 05 d4 12 37 b8 da 33 9a 8d 5f 06 30 57 3b 4c 5d e4 b4 7f a6 3b ed 3b cf 1e b8 aa 59 df 5f 4d d3 c6 dd 04 fe dc b2 c7 e2 50 1b 07 aa a6 03 26 2f 2d a5 27 ea Data Ascii: kp7ZT-jSK9U<UjQZs=/CyS6_Z1U]]@"R{1[zDYXET jN9QZyZ%gK]+G?[T\0U-)/A0G8'?[t73_0W;L];;Y_MP&/-'
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 0f b9 58 8d dd ad 2a 87 d5 1a ae 7a d7 f0 65 9b 43 ab bc 3e 33 ad f2 32 7d 90 5f c0 1f 1c 25 f8 77 46 1f e4 bf 1a 81 fc 3b 1a 50 8e 0a fe 9d a1 71 bb 0d fb 04 1f b3 2a 34 c8 e3 63 fe 8b 55 21 0b 2b 69 5c 30 9c 85 d6 14 99 85 76 d6 ef a8 f2 66 e5 6b a9 e3 f3 38 3c b0 92 e8 60 85 8e 80 b2 56 90 72 a3 f8 d9 44 f8 2b 5d 0b e2 d9 cd 80 f6 eb 68 c6 fa 7a 1c 0b 2f 94 1d 09 aa b2 b1 41 a6 d7 07 e5 e1 ca 5a 55 d9 c4 f0 6f 7b e7 22 63 a9 4b 2e 04 bb e5 60 ee 8d ba 6d 5b 34 36 a7 45 5e f6 3c d4 56 cc 8f 05 8d 24 f2 f5 bf 8e 8b 0e c6 d7 e8 19 ea e2 07 c4 7b 3d 18 9f d2 95 ab d6 b4 bb 30 bc 4f cd da 32 3e 29 19 67 82 5d 74 02 64 23 e1 c4 30 65 f8 26 56 83 a7 e1 e3 f4 0c e3 fa 71 9e 50 cb f6 44 b5 e5 70 b8 19 78 7e 9d ac fc e1 4a 03 ab 69 d0 93 1a 74 3e 14 d5 0c de a7 Data Ascii: XzeC>32}_%wF;Pq4cU!+i\0vfk8<`VrD+]hz/AZUo{"cK.`m[46E^<V${=0O2>)g]td#0e&VqPDpx~Jit>
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 62 64 1a 0a 5f aa 69 68 5c 7b f8 39 74 39 9b 27 b3 f0 64 f0 85 e5 43 b2 c1 3c 19 dd 37 12 e3 64 49 c0 ce e8 91 d5 73 26 81 23 77 2f f6 3f b9 62 45 22 98 55 52 5a 8e a7 4d 5d 93 57 3b b9 7b c4 b1 c1 11 f9 ff a1 9b e4 6a fe 17 b0 e2 59 6e 4f 12 dc 97 93 81 03 a6 09 8e 28 50 63 eb 21 d6 7b b2 72 64 03 4c cc aa d1 cf 8b 5c 60 8f 4f 3b c4 0e 2c 46 f2 4c 78 c5 8a 0e ae d2 bd 41 f7 3b e4 7d bf dc c4 b6 10 0b e1 98 66 f1 0b 9b cf 16 09 74 a4 e4 8e 78 c9 81 fe c2 47 c8 c6 9e ee c2 65 88 68 ae bc d1 f5 fc c7 45 42 f9 cd ae 13 f0 70 d9 3e 29 c2 8b 70 4f 37 e1 82 79 7c c3 90 c8 ca 0b 42 95 57 26 ca 87 e5 59 09 c9 07 33 bf c2 bb 34 26 49 8e c4 ce f4 a5 13 64 47 52 f2 2b 99 dd 4b ad c5 a5 4a 61 02 ab 1b 29 08 9d 57 ca fe 64 1f e0 25 c9 6d 03 5c 94 b0 3d 1b 89 97 8d 6e Data Ascii: bd_ih\{9t9'dC<7dIs&#w/?bE"URZM]W;{jYnO(Pc!{rdL\`O;,FLxA;}ftxGehEBp>)pO7y\|BW&Y34&IdGR+KJa)Wd%m\=n
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 04 ff e0 da b1 eb f1 6c 10 95 0f 93 52 3b a4 34 60 cf 92 94 e5 9a e0 0f 72 06 83 49 af 22 33 0d b5 64 42 2d f7 7e 2e 9a 9c 19 62 56 ab 78 57 d2 96 41 bc e4 70 63 52 3d 7c af 2e c4 a8 aa 20 6b 7c 2e 8e 33 5a e9 bf 7e 82 a7 9d fb 80 8c 3c fb cf ee 9c 36 5b db 43 9d bf 90 04 a1 59 7e 71 c8 7c aa 8f 38 7b 5b cf a4 81 f8 e6 dc d5 4a a7 ea da 48 59 8f 6e 00 7a e0 eb 98 21 4b fb ec 9f d7 4e f2 9d 36 c9 52 8f e2 e8 c2 0b 3f 78 f7 bd ef 3e 64 89 2e 90 56 db 19 8c 4a 5e 6b 85 6c 28 a4 48 50 42 ea 2a d7 7d 8e e1 c8 b3 99 81 87 b1 43 7f bb d0 97 0d e5 f9 7e d8 66 0f 88 4f e2 75 0a df 7e 91 df f5 5f 9d f2 2a 7e 05 ad a4 f5 20 95 1d bb 79 39 c7 6e bc 85 c6 73 c6 12 c7 6e 8c 7c 2c ce 1d c8 d9 23 4b bb 7d 1d ea e1 e0 7e 55 19 7d 9d aa c0 79 42 83 96 27 ff c3 16 11 d3 c9 Data Ascii: lR;4`rI"3dB-~.bVxWApcR=\|. k\|.3Z~<6[CY~q\|8{[JHYnz!KN6R?x>d.VJ^kl(HPB}C~fOu~_~ y9nsn\|,#K}~U}yB'
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 7a 50 53 b7 a7 ca 60 f1 8e 4d 99 d0 c4 fc bf 80 bd e3 af d6 17 f5 d6 ff c8 25 89 80 b5 a8 f3 b4 58 5d 80 12 03 4f 25 1b 9e 3e b0 b6 6f 44 8f 02 06 df 0f b1 bb 94 f0 5e b9 45 1b 26 b1 51 13 0f b8 cf 2d cf 32 e4 db ba 26 ac 98 c8 66 2a 30 53 f7 ae 18 61 68 c3 d8 41 6f 35 bf b8 d7 34 bb 00 a9 05 c0 83 e6 72 99 7f d4 4b a6 9a 3e 13 8f 34 af 76 92 cc b2 6a b9 05 77 99 fb 79 37 e2 e0 e9 05 dd 6d 09 e8 6e 8b d7 97 b9 ac 8d ec 4b 16 df d4 14 b7 a7 5d f0 df 94 78 fe 1b b0 76 93 e3 2b 62 44 6c 14 6d 15 fd a6 38 6c 5d ee b2 9a 48 15 fb d1 f7 75 f0 4d f2 7d b1 23 5e 4e 0a a8 a7 7b 43 7b ca 8e 8c c7 55 e1 71 48 7b f2 a5 f8 87 b6 99 dc 38 77 93 57 ea 44 f7 a4 39 0e 93 be 4a 6f a0 e0 f5 f9 12 ff 30 37 53 fa d6 bd a0 2a df 8d 05 f0 b0 97 39 0e 93 8d 5e 7c 7e 93 9e 31 69 Data Ascii: zPS`M%X]O%>oD^E&Q-2&f0SahAo54rK>4vjwy7mnK]xv+bDlm8l]HuM}#^N{C{UqH{8wWD9Jo07S9^\|~1i
2024-07-27 22:42:23 UTC	16384	IN	Data Raw: 37 d4 ef c9 6a 3a c9 72 6c 4a 76 a9 e2 d9 fe 64 3c e6 a7 d9 ee bd 6c 92 37 77 e2 31 01 e9 7e 7b 8f fc 6c 2b fe b4 64 2a 8e 9d ea cc 42 56 8d 29 08 24 b4 cb dc 63 57 7b 67 e7 ba 65 ef 25 93 3b c9 5b 65 5e 8c 97 9e 0b ec 6f ec 32 86 a7 bc 31 0c d7 86 e4 c3 b9 f0 fa fb 68 db 97 2f 82 6a d9 6b 9e bc 19 be fa 3f 3a 2a 30 2d cc 38 ef 55 93 fb 3a 96 51 11 96 12 e6 4b e6 d8 09 88 6d db 26 16 6d 6f f0 2b 45 3b a9 e2 0f 52 fa d3 fd ac fa b8 e3 4d 09 da 85 0b 19 50 67 2b 66 24 71 94 b2 ec 7d aa 65 ae e2 28 53 ef c8 d4 fd d7 b4 ca 9e 14 95 bd 7b 86 5e d9 e3 58 d9 bb 67 40 65 cf b0 ef 4a ba dc f7 cb 07 47 1e 9e 41 d2 b3 9d aa ea 9b 45 49 1b 6f 53 3c 7a 55 27 30 e0 0c 10 4f 90 0f 3a cd 8b 91 4d 3e 33 54 1c 2b 8d 35 3e cb 1c 65 00 db f6 dc 44 cf ae 86 ab 78 1e 84 c5 de Data Ascii: 7j:rlJvd<l7w1~{l+dBV)$cW{ge%;[e^o21h/jk?:0-8U:QKm&mo+E;RMPg+f$q}e(S{^Xg@eJGAEIoS<zU'0O:M>3T+5>eDx

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:24 UTC	144	OUT	GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.1.2 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:24 UTC	520	IN	HTTP/1.1 200 OK Content-Type: application/zip Content-Length: 6227973 Connection: close Last-Modified: Thu, 08 Dec 2022 09:14:29 GMT x-amz-version-id: s20fxiZKNPOZhn5cscxnL4vQWeKpCNmb Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 27 Jul 2024 07:21:07 GMT ETag: "7cc0288a2a8bbe014f9e344f3068c8f1" X-Cache: Hit from cloudfront Via: 1.1 e23d0cd26e88be416569e15d7299b25c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: l8Iu3GfciP-lE411Qqy0RO2R9HACkJYB0zbq7R9M7XaHqBjzAy9b1A== Age: 55278
2024-07-27 22:42:24 UTC	15864	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 76 86 87 55 c9 02 ed f5 8d 07 5f 00 10 8b 5f 00 0b 00 00 00 57 5a 53 65 74 75 70 2e 65 78 65 ec bd 7d 78 54 d5 b9 37 bc e7 2b 19 92 09 7b 02 89 46 f9 0a 12 14 0d 52 34 60 89 43 74 02 d9 21 58 06 26 0c 99 81 0a 08 42 70 18 23 a1 c9 de 88 96 e8 84 9d d1 6c 36 63 39 ad 7a 6c 6b 2d 88 3d b5 2d e7 d4 9e 5a a5 ad 8d 19 b0 49 50 d4 f0 51 88 42 6b d4 54 f7 38 51 a3 a4 61 80 98 fd fc ee b5 67 00 cf 79 ce 7b 9e eb b9 de f7 ba de 3f 4e 70 cd 5e 9f f7 5a eb 5e f7 e7 5a 6b 6f 3d df de c5 59 38 8e b3 22 e8 3a c7 ed e7 8c 3f 37 f7 df ff 75 21 8c 9e f4 87 d1 dc 8b a3 de 9c bc df b4 e8 cd c9 cb 82 1b 1b 0b 37 37 d4 df d3 b0 f6 be c2 75 6b 37 6d aa 17 0b ef ae 2d 6c 90 36 15 6e dc 54 58 b1 c4 57 78 5f fd fa da 19 39 39 59 45 29 18 ff 7a d3 f5 Data Ascii: PKvU__WZSetup.exe}xT7+{FR4`Ct!X&Bp#l6c9zlk-=-ZIPQBkT8Qagy{?Np^Z^Zko=Y8":?7u!77uk7m-l6nTXWx_99YE)z
2024-07-27 22:42:24 UTC	16384	IN	Data Raw: 31 e2 72 2b 5d 29 f2 74 79 15 fc 76 2b 6c 32 da 6e 1a 4c 5a 51 74 66 64 a3 75 3c 77 14 89 bc e7 c1 8d 10 4c bb 49 14 d5 26 b9 fd d3 8e ce e3 ca d6 1f 9f c7 fd c6 fe 50 5e d9 b4 13 f3 b8 26 eb 48 2c 31 aa ac 95 a2 e6 df 64 f2 6d 87 14 bb dc 6e 2d 7b 1e 19 db 8e 47 85 e4 ab d4 c6 1b 9c 76 0a fe f3 f4 e7 e8 f2 38 d2 c1 95 2d 88 8d a7 1f 7a 5d 38 68 bc 92 10 a6 8f bf 4c 5c 11 b2 2d 3f f3 2b f6 81 22 d6 68 26 35 2a a4 46 3d 54 ff e9 16 76 63 68 62 90 e0 6a 1e 34 19 b1 d1 30 77 13 f0 d6 4a e7 ee 99 ec 99 bb 87 fa 51 2a f3 f6 14 b2 67 81 7c 2d 17 9f 0b 85 a1 be d1 99 41 9b ee 40 e6 b1 fb da 8b df 89 5f 67 e7 52 8b 42 9f 5c f9 af 16 a5 90 2d 4a c9 29 e3 f3 3e ab da 5d 07 95 4a 2b df 12 27 23 32 6b 39 7b b7 df 00 a2 91 37 2c 1c 27 8f 92 ae c9 aa 8f 11 15 a8 35 dd Data Ascii: 1r+])tyv+l2nLZQtfdu<wLI&P^&H,1dmn-{Gv8-z]8hL\-?+"h&5F=Tvchbj40wJQg\|-A@_gRB\-J)>]J+'#2k9{7,'5
2024-07-27 22:42:24 UTC	16384	IN	Data Raw: 0e f6 4b 9c d4 5c e7 2f 71 9d 63 3f c7 7e 9e fb ec 77 5a 9e a5 3b 7d f6 22 96 8f 9a 8e eb d2 79 2c 2d 07 17 f5 45 ee 33 5c d4 ec 67 ce 9d 3b 75 e6 0c 1d cf a5 b3 64 69 69 bf 1a 35 ed 57 6a 21 b0 cb 8b 06 fe 17 fe 0f 86 91 e4 a0 e6 65 cb 47 18 be ac 67 b8 92 ef 3d d4 6d 05 d5 a1 03 42 a2 8d 77 26 99 f4 2d b2 0f bb 59 3e 2d b7 dc 61 16 2d bc a3 71 c2 69 e8 9c de ba 72 26 41 9f d8 23 d2 b9 71 5e 9a fb af 25 bf 69 a0 92 f1 09 f0 34 e8 b8 d1 f6 7a d5 4f 3c 1f 8e b7 70 dd d7 89 3e c7 fc 9a 21 3f 07 54 ee af df ec d9 15 11 79 ed c7 d5 9b e6 d5 d4 f2 98 5d 53 37 6d 52 9b f2 7c e7 12 58 11 2c 74 b4 ad e2 7e b3 53 a4 48 cb f0 5c 73 4c 79 de 21 0a d5 c7 9b 3f 6c 50 1a 80 e9 43 1b 87 80 5e 76 bc b2 6a db 81 9d 72 30 b8 ea 82 d1 8d 76 b5 77 fb e7 a6 67 18 77 18 ff 68 Data Ascii: K\/qc?~wZ;}"y,-E3\g;udii5Wj!eGg=mBw&-Y>-a-qir&A#q^%i4zO<p>!?Ty]S7mR\|X,t~SH\sLy!?lPC^vjr0vwgwh
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 75 6d cd 07 77 fd 7f 5a da 35 9f 1c d8 5e 34 4e 8d 4a 2c 36 14 4f db d5 71 db aa 1b 34 dc c2 a7 14 e6 7d fd 8e 0f fd d0 e7 02 92 a4 6d 3a 17 7e 32 22 e2 ab 1b da f4 da 53 43 d9 5a f2 5b 1c f5 43 c6 db 42 ff 28 b8 27 42 93 94 c6 2e 16 6f c8 c4 5c cd 9e 71 86 2b b7 43 cb 4d 6f ea 40 c9 39 15 f1 c0 2b 16 8e ad b0 d7 8e 38 e8 98 37 74 de 21 59 54 0f f2 6e b3 8d 2d d8 89 05 b7 51 5b 5c 9b 23 b8 fe f0 8c 8b ff e6 f7 45 6d 7c a5 e1 1f 1a 8c f0 ce 77 66 38 4c 07 54 6a 4b 80 73 75 9e 60 70 25 7a c1 56 ea cb e3 2f cd 1f b8 7e 09 fd 6e c7 e6 fa 85 f7 36 04 3d 31 15 fd 0d fa fe c6 7c 7d 87 eb 43 b6 1c 27 34 f4 ae fa 2d 6f 00 bc 89 1b d3 87 9b 10 ef c1 7b 93 ae dc e6 a2 c4 20 b1 44 69 a2 99 ab 43 06 00 10 f5 c1 22 6e 4a df 97 9f 10 a7 40 59 cb 9d 38 68 fa 38 c7 5b 68 Data Ascii: umwZ5^4NJ,6Oq4}m:~2"SCZ[CB('B.o\q+CMo@9+87t!YTn-Q[\#Em\|wf8LTjKsu`p%zV/~n6=1\|}C'4-o{ DiC"nJ@Y8h8[h
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 63 01 24 1a a7 ee 08 d2 40 18 f9 00 4c 7c cc 2e cc 74 68 e5 d2 f2 15 b4 31 9a fc 16 ce e7 f6 25 c9 32 73 0d e3 3c 7e 33 77 a9 4b 9a 44 e4 b0 0a b4 21 f5 19 b2 b4 e8 54 ad 78 9a e7 2a 86 ca 3c 8e d7 29 55 08 99 d1 09 60 f3 d8 66 05 99 d2 71 9a 01 fd 34 fb 27 ac 42 eb 98 04 95 32 a6 df 86 3d b5 bc a4 85 89 54 8e 5f 8e 79 36 e7 bb af 69 9a a7 bf 2d 5e 75 c3 f5 df 11 5f f8 e5 2d 9e 1b 6c c8 c9 df bd 18 b4 07 8e 6c a2 6a 64 14 fa 5d 3b 2d 8d d6 bf 4b d3 5b 7c a2 5f b5 bb de f9 89 79 27 4c 1c 1a 67 46 18 c4 6c df d8 e2 bd 6f 04 18 bf e5 98 8c 40 a9 7c 99 1e ff 10 00 f3 21 3a e6 47 aa af f2 a1 44 70 54 79 da 20 29 a2 cf 09 a0 8f f0 cf 28 88 03 52 c4 dd f0 de 5c 18 73 48 72 b1 79 7f f3 bc 95 81 9d ad 9f fa c0 b4 23 6b 8f dd 23 7d f1 f9 20 4d ef 19 bc 38 bb 55 6d Data Ascii: c$@L\|.th1%2s<~3wKD!Tx*<)U`fq4'B2=T_y6i-^u_-lljd];-K[\|_y'LgFlo@\|!:GDpTy )(R\sHry#k#} M8Um
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 03 93 f2 c6 9d 54 23 5e 70 13 8c bc 29 b1 a9 f2 7a 94 2b 68 c9 99 c2 81 df dc 74 a6 ee d2 f3 e4 6f 1f 6d ce 06 e6 f3 57 9c 77 cf cf ae 74 e1 84 f4 05 67 47 2b ba a8 71 5f fe 52 aa 16 5e 56 de 2d 56 1f 5d 03 37 d2 10 ac 04 1d 9b 9d 02 6a 6c ef 79 35 1b f1 b5 a5 96 97 1b 66 65 b0 6a 96 44 08 97 06 4e a2 1e 93 99 d5 fd 94 5c 50 47 eb db 06 93 01 42 63 ca 64 d6 9d a4 e7 00 16 d5 46 4f 7e ab 4b 0f 95 01 1c 42 5b 8d a8 c6 c0 1f ba 8d 29 a3 7f 3f d3 27 8d 07 b8 a8 4e 88 bb 34 8f 65 3b 3f 13 a4 de 79 7a 52 a5 69 42 74 cd 74 5e 7b fa c6 ea 0b 3d 1d ee 4b 9f 93 ae 4c bc 32 ee b6 a7 3c 60 d5 99 19 8e fa 22 6f 21 bd 5e bc e8 0f 71 d1 17 c8 12 0e 7b c2 91 9d 74 a0 14 51 19 c6 60 a4 2d 1b 85 e9 e2 78 5d 75 06 08 f9 e3 3d 08 78 90 48 cd f8 72 c5 72 da 14 ab de 95 23 08 Data Ascii: T#^p)z+htomWwtgG+q_R^V-V]7jly5fejDN\PGBcdFO~KB[)?'N4e;?yzRiBtt^{=KL2<`"o!^q{tQ`-x]u=xHrr#
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: c4 d4 0c 8f e1 44 36 71 e9 da 81 0d 74 2a 88 69 ba 76 26 5c 61 93 46 c6 c9 15 05 3d ea 65 55 d6 5c 84 b6 8a 1a 0a 45 31 0b 93 05 cc 80 c4 e9 88 1e 3a 15 42 c4 58 5e 2c da 9b 7f 08 37 5d a8 6d 7d f2 04 1b fd 31 bc ff a0 58 4a e1 14 fb 5c 61 e1 6f e1 d1 c4 b6 0b 18 1f 91 57 cb e9 6e 0c eb b8 a7 ba 55 73 7c aa b8 45 b1 d2 b3 f8 2d 6c 91 07 90 be 7f 55 7a 7f 1e 05 e1 2c af a2 39 83 17 d1 2b b3 fd c5 b1 c0 ab 8e 54 2a b2 31 7c 26 9b ac 15 f4 59 e3 28 ba d9 9d 7f 6e 34 d6 a5 7f 00 c3 bf 5b 9e a0 47 31 96 f7 73 66 19 32 1c 89 89 fd c0 b4 4e 19 5a 77 17 31 8b 69 32 53 ff f5 12 9c 41 0e d6 05 a0 ba fb dd fb a5 be af 3d 63 51 52 b7 37 6f 92 f4 ac ed 1e e3 1e 1d 86 dc 4c 68 46 80 59 30 9a 7b 91 3c 81 bb 56 64 2f cd 1f 4b 96 f1 02 3b 7c fa 40 14 d1 d5 d8 70 ce f3 1e Data Ascii: D6qtiv&\aF=eU\E1:BX^,7]m}1XJ\aoWnUs\|E-lUz,9+T1\|&Y(n4[G1sf2NZw1i2SA=cQR7oLhFY0{<Vd/K;\|@p
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 72 ba 19 d2 2a 48 53 26 34 fe bc 8e 1c 82 b5 70 95 d0 55 5c 3d 27 5f f1 c4 37 ad 84 28 f1 24 60 26 3f fa da d7 37 19 22 78 82 af ff fa d4 06 db 8c 2d 12 d2 a3 87 9e 98 42 70 dc 17 88 03 b6 11 db aa fb 40 ce fb 11 79 3d 51 b5 47 f3 eb 2c 80 87 a4 b1 b5 9e 1d 2b b3 a2 1f e4 c9 a6 2c ea 8c 83 ed 38 37 74 dd 2e 5c 6b 3d b4 a8 93 77 7f 11 59 3c f5 a7 ca ff 4b ab e1 f9 86 9b 51 02 62 b9 c7 0d 69 00 69 93 ef 93 75 03 7c 5d c2 78 7e 82 01 33 b8 9f f8 2f f7 06 a6 cd 43 ac 1e 4b f1 05 1d be 64 4e c7 98 c7 10 05 64 ca af 5f 6d bc 8e 41 f9 57 dd 59 5f 75 ef cb fc 83 a7 14 fa d1 69 23 ec 96 aa 07 29 7f 1a 2e df 44 7d 84 d1 54 ff e6 9d d2 db 32 6c 5d 73 1b 66 45 00 6c 3e 42 ac 04 9f de e1 9f 69 3c b6 cb 00 ab ba 40 d8 fb 4b 7c c9 8f 6d fa a5 49 c6 39 4b 59 5c 0e 1c 16 Data Ascii: r*HS&4pU\='_7($`&?7"x-Bp@y=QG,+,87t.\k=wY<KQbiiu\|]x~3/CKdNd_mAWY_ui#).D}T2l]sfEl>Bi<@K\|mI9KY\
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 5d f5 e3 70 76 9e 83 bc 7f a2 a0 36 a8 a4 f8 a7 02 ef e1 52 56 7b 70 6c 75 aa a7 be 13 9f ff 16 f6 74 32 d8 2b 92 c1 b3 e7 80 d2 5d 30 e4 a0 18 b8 73 40 31 63 97 ba 94 a7 5e c8 97 c8 08 f2 f9 c7 51 ef 79 99 cc b3 25 f6 59 92 35 f7 c7 12 23 8d fe d5 14 2a 01 81 fa 15 5a 9d 31 ba 13 0d 4f ea 38 4f e2 38 ba 64 17 f2 c1 1c f2 9f a3 92 48 fc 4b 2c c4 1e 84 1e d8 23 c7 ea 16 70 53 11 b8 e1 85 f2 25 99 5b 4c 6b 0f 15 95 32 2e 15 7e 93 b5 fc 26 f9 f7 2c ad 6d dc a3 34 08 15 75 ed 25 75 25 9b bf 50 dc ad 5a 02 94 7d b8 1a e5 25 6f be 73 eb b6 af 1b 83 ff 2a 32 fa 09 4e ad ed da dc 59 95 15 30 06 45 a9 a0 54 24 a9 e3 9b 54 d7 57 88 c9 33 81 5a 93 72 fe 6b 12 03 44 39 92 2f fe e4 ff 32 36 1d 76 ed d4 55 cd ad 5a 1e 26 f4 d5 ec e6 68 0b 9c f4 d0 f2 5d 09 a7 0b 5c 16 Data Ascii: ]pv6RV{plut2+]0s@1c^Qy%Y5#Z1O8O8dHK,#pS%[Lk2.~&,m4u%u%PZ}%os2NY0ET$TW3ZrkD9/26vUZ&h]\
2024-07-27 22:42:25 UTC	16384	IN	Data Raw: 6d 6a a4 70 b3 a4 89 e1 9e a6 2e fc 1f 95 c1 29 72 66 03 ae 94 bb c1 79 4b 44 6a ce 95 e5 89 23 56 e0 49 2a f6 23 b8 22 09 eb 1b 45 6b 2b 34 eb a2 07 2b 40 67 94 cc ca e4 9a 39 48 d3 2b 2f c8 92 e5 5f f0 63 6d 04 40 1c 21 cf 78 39 53 72 57 0c 93 5c 76 11 74 0f 6e 0e e6 c8 0a c9 68 94 da 45 9a 1a 18 19 7d 6e 3f d0 13 0a 4e 39 fa 71 65 e7 5e 50 08 54 f9 f0 bc 84 23 6a 69 a3 51 20 82 59 56 d6 50 3e 72 1f 31 2e f9 10 02 34 5c 8c 28 17 cf e7 e6 6b 14 75 d3 90 be fe 1b 67 4e 42 a5 71 82 4a 1d 91 40 35 6a 4d e8 2f 2b d8 f8 e2 48 aa e4 25 8d e7 cf f1 b6 51 1c 83 df 0f df d0 47 fc ff cc 3c 29 ec dc b5 53 f2 9b 4e 65 25 84 26 17 cb bf b0 d8 f1 9c 05 ae 18 9a 90 9b 7e a7 04 53 58 62 7d 05 95 d0 fe 28 9a c7 12 b5 c2 f8 80 e6 c1 ca cc 14 03 f4 8b 01 ac 07 67 24 06 f4 Data Ascii: mjp.)rfyKDj#VI*#"Ek+4+@g9H+/_cm@!x9SrW\vtnhE}n?N9qe^PT#jiQ YVP>r1.4\(kugNBqJ@5jM/+H%QG<)SNe%&~SXb}(g$

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:30 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 353 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:30 UTC	353	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 52 41 56 5f 43 72 6f 73 73 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 52 41 56 5f 43 72 6f 73 73 5f 54 72 69 5f 4e 43 42 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c 22 2c 5c 22 37 5c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"RAV_Cross\",\"18\":\"ZB_RAV_Cross_Tri_NCB\",\"19\":\"\",\"21\":\"133\",\"6\":\"3\",\"7\
2024-07-27 22:42:31 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:31 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 392cb865edfd76152c5ac655614b2f60.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: XUFWCqZjoL94Mu8R__GfxGDS6PgN4Y2RJnXADGFni3vH6KPY2fhjKA==
2024-07-27 22:42:31 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:31 UTC	273	OUT	GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20240727184154&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1 Host: shield.reasonsecurity.com Connection: Keep-Alive
2024-07-27 22:42:31 UTC	1149	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 2366456 Connection: close Date: Sat, 27 Jul 2024 22:42:31 GMT ETag: W/"241bf8-/G0m9QH1fC47W3GlBUr4R8fDaPw" Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 content-disposition: attachment; filename=ReasonLabs-Setup-Wizard.exe X-Cache: Miss from cloudfront Via: 1.1 10f6ed997c15c1439b3ae1db258c7d16.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA60-P8 X-Amz-Cf-Id: oqj_kxSfctIL30d_iEy0skwJhqtM59-YXX--tpeMjlIVBpLvBy_muA==
2024-07-27 22:42:31 UTC	6260	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 4b 61 00 ed 2a 0f 53 ed 2a 0f 53 ed 2a 0f 53 82 35 04 53 ee 2a 0f 53 6e 36 01 53 e5 2a 0f 53 82 35 05 53 e6 2a 0f 53 82 35 0b 53 ef 2a 0f 53 63 22 50 53 ec 2a 0f 53 ed 2a 0e 53 64 2a 0f 53 6e 22 52 53 e4 2a 0f 53 db 0c 04 53 ae 2a 0f 53 fb 55 0b 52 ec 2a 0f 53 db 0c 05 53 ef 2a 0f 53 f6 b7 a5 53 e1 2a 0f 53 75 58 0c 52 ec 2a 0f 53 2a 2c 09 53 ec 2a 0f 53 52 69 63 68 ed 2a 0f Data Ascii: MZ@!L!This program cannot be run in DOS mode.$KaSSS5SSn6SS5SS5SSc"PSSSdSn"RSSSSURSSSSSuXRS,SSRich*
2024-07-27 22:42:32 UTC	7240	IN	Data Raw: 38 5e 34 74 0b 8b 56 44 8b 4e 28 e8 15 22 00 00 33 c0 5e 5b c2 08 00 56 8b f1 57 8b 46 04 8b 0e 8b 7c 81 fc 85 ff 74 0f ff 37 e8 40 0d 00 00 57 e8 3a 0d 00 00 59 59 ff 4e 04 5f 5e c3 b8 91 9f 41 00 e8 15 73 01 00 81 ec a4 00 00 00 8b 45 10 53 56 8b f1 57 33 db 8b fa 8d 8d 50 ff ff ff 88 18 e8 13 05 00 00 57 8d 8d 54 ff ff ff 89 5d fc 89 b5 50 ff ff ff e8 83 13 00 00 8d 8d 60 ff ff ff ff 75 08 e8 75 13 00 00 68 f8 00 00 00 e8 a8 0c 00 00 59 8b c8 89 4d 08 3b cb c6 45 fc 01 74 07 e8 9b 06 00 00 eb 02 33 c0 50 8d 8d 70 ff ff ff 88 5d fc 89 85 6c ff ff ff e8 8c 68 00 00 38 5d 0c 0f 84 8c 00 00 00 8b 85 6c ff ff ff c7 80 e0 00 00 00 01 00 00 00 89 5d 0c 8d 85 50 ff ff ff ba 4b 29 40 00 50 8d 4d 0c c6 45 fc 02 e8 99 6e 01 00 3b c3 74 1b 7e 0a 25 ff ff 00 00 0d Data Ascii: 8^4tVDN("3^[VWF\|t7@W:YYN_^AsESVW3PWT]P`uuhYM;Et3Pp]lh8]l]PK)@PMEn;t~%
2024-07-27 22:42:32 UTC	4344	IN	Data Raw: c8 ff 5f 5e 5b c3 8b c7 eb f8 55 8b ec 51 83 65 fc 00 56 57 8b f2 8b 55 08 8b f9 8b ce e8 b7 ff ff ff 85 c0 7d 09 8b cf e8 44 f6 ff ff eb 10 8b 0e 8b 04 81 8b cf 83 c0 0c 50 e8 e5 f6 ff ff 8b c7 5f 5e c9 c2 04 00 56 57 8b f9 8b 77 04 85 f6 74 1e 53 8b 07 4e 8b 1c b0 85 db 74 0e 8b cb e8 79 dc ff ff 53 e8 bd f0 ff ff 59 85 f6 75 e4 5b 83 67 04 00 5f 5e c3 b8 7a a2 41 00 e8 93 56 01 00 51 56 57 8b f1 6a 18 e8 66 f0 ff ff 8b f8 59 89 7d f0 83 65 fc 00 85 ff 74 1f 53 8b 5d 08 53 8b cf e8 7d f6 ff ff 83 c3 0c 8d 4f 0c 53 c6 45 fc 01 e8 6d f6 ff ff 5b eb 02 33 ff 8b 46 04 8d 48 01 89 4e 04 8b 0e 89 3c 81 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 c9 c2 04 00 55 8b ec 53 56 8b 75 08 57 ff 75 0c 8b f9 8b 0e 33 c0 8d 1c 17 89 46 04 66 89 01 53 57 8d 55 08 33 c9 89 45 08 Data Ascii: _^[UQeVWU}DP_^VWwtSNtySYu[g_^zAVQVWjfY}etS]S}OSEm[3FHN<M_^dUSVuWu3FfSWU3E
2024-07-27 22:42:32 UTC	8192	IN	Data Raw: 4e 28 33 ff 83 fb 02 89 79 04 66 89 38 75 20 8d 45 e0 50 e8 a6 e6 ff ff eb 15 ff 75 0c 8b ce 50 e8 27 ff ff ff 84 c0 0f 84 e4 00 00 00 33 ff 66 81 66 20 ef fb 83 4d c4 ff 89 3e 89 7e 04 8d 45 e0 8d 4d c8 50 c6 45 fc 02 e8 de e5 ff ff 8d 4d ac c6 45 fc 03 e8 1f e5 ff ff 8d 45 0f 8d 4d c4 50 8d 45 ac 50 c6 45 fc 04 e8 8f fe ff ff 84 c0 74 34 80 7d 0f 00 74 26 8b 55 d4 8b 4d ac e8 b8 df ff ff 84 c0 75 23 ff 75 ac c6 45 fc 03 e8 9c df ff ff 59 8d 4d ac e8 dd e4 ff ff eb bc 6a 02 ff 15 80 b0 41 00 32 db eb 36 8b 4d b0 83 f9 07 76 11 8d 41 fa 3b c1 73 0a 8b 4d ac 89 45 b0 66 89 3c 41 8d 45 ac 8d 4e 28 50 e8 c1 e7 ff ff 8b 45 bc c6 46 24 01 89 06 8b 45 c0 89 46 04 b3 01 ff 75 ac e8 47 df ff ff ff 75 c8 e8 3f df ff ff 59 59 8d 4d c4 e8 f3 fb ff ff ff 75 e0 e8 2d Data Ascii: N(3yf8u EPuP'3ff M>~EMPEMEEMPEPEt4}t&UMu#uEYMjA26MvA;sMEf<AEN(PEF$EFuGu?YYMu-
2024-07-27 22:42:32 UTC	3392	IN	Data Raw: ff 15 44 c3 41 00 8b 54 24 0c 8b cf ff 15 40 c3 41 00 89 06 5f 5e c2 04 00 8b 44 24 04 8b 4c 24 0c 89 48 14 33 c0 c2 0c 00 8b 44 24 04 8b 4c 24 0c 89 48 18 33 c0 c2 0c 00 53 56 8b f1 57 8b 46 38 8b 5e 34 3b d8 72 02 8b d8 66 81 e3 00 f0 b8 00 10 00 00 3b d8 73 02 8b d8 83 7e 2c 00 8d 7e 2c 74 05 39 5e 30 74 17 53 8b cf e8 83 ff ff ff 83 3f 00 75 07 b8 0e 00 07 80 eb 05 89 5e 30 33 c0 5f 5e 5b c3 56 8b f1 8b 46 68 50 8b 08 ff 51 0c 85 c0 75 07 8b ce e8 9d ff ff ff 5e c3 8b c1 ba 00 00 20 00 33 c9 c7 40 04 64 bb 41 00 c7 40 08 54 bb 41 00 c7 40 0c 40 bb 41 00 c7 40 10 30 bb 41 00 c7 40 14 1c bb 41 00 c7 40 18 0c bb 41 00 c7 40 1c fc ba 41 00 c7 40 20 e8 ba 41 00 c7 40 24 d8 ba 41 00 89 48 28 89 48 2c 89 50 34 89 50 38 8a 54 24 04 89 48 40 89 48 48 89 48 30 Data Ascii: DAT$@A_^D$L$H3D$L$H3SVWF8^4;rf;s~,~,t9^0tS?u^03_^[VFhPQu^ 3@dA@TA@@A@0A@A@A@A@ A@$AH(H,P4P8T$H@HHH0
2024-07-27 22:42:32 UTC	13032	IN	Data Raw: 00 51 ff 50 0c c3 ff 74 24 10 8b 44 24 08 ff 74 24 10 8b 48 08 ff 74 24 10 e8 4b 01 00 00 c2 10 00 ff 74 24 10 8b 44 24 08 ff 74 24 10 8b 48 08 ff 74 24 10 e8 b3 01 00 00 c2 10 00 53 56 8b f1 e8 2a 00 00 00 33 db 3b c3 75 21 6a 03 33 d2 8d 4e 04 e8 a5 15 01 00 89 5e 18 88 5e 08 c6 46 09 01 89 5e 0c 89 5e 10 89 5e 1c 33 c0 5e 5b c3 e8 0f 00 00 00 85 c0 7e 0a 25 ff ff 00 00 0d 00 00 07 80 c3 83 39 00 74 05 e9 df 14 01 00 e9 3a 15 01 00 56 8b f1 6a 0c e8 1f b2 ff ff 85 c0 59 74 0f 83 60 04 00 89 70 08 c7 00 00 bc 41 00 eb 02 33 c0 8b 4c 24 08 50 e8 0f 0e 00 00 6a 0c e8 f8 b1 ff ff 85 c0 59 74 0f 83 60 04 00 89 70 08 c7 00 f0 bb 41 00 eb 02 33 c0 8b 4c 24 0c 50 e8 e8 0d 00 00 5e c2 08 00 8b 4c 24 04 ff 49 04 8b 41 04 75 0d 85 c9 74 07 6a 01 e8 05 00 00 00 33 Data Ascii: QPt$D$t$Ht$Kt$D$t$Ht$SV*3;u!j3N^^F^^^3^[~%9t:VjYt`pA3L$PjYt`pA3L$P^L$IAutj3
2024-07-27 22:42:32 UTC	2896	IN	Data Raw: c6 45 fc 03 e8 48 85 ff ff 8d 7e 60 c6 45 fc 04 8b cf e8 56 9c ff ff 8d 4f 28 e8 32 85 ff ff 8d 8e 98 00 00 00 c6 45 fc 05 e8 f3 d4 ff ff 8b 4d f4 c7 06 d0 bc 41 00 c7 46 04 bc bc 41 00 c7 46 08 ac bc 41 00 c7 46 0c 98 bc 41 00 8b c6 5f 5e 64 89 0d 00 00 00 00 c9 c3 55 8b ec 56 8b 75 10 57 8b 7d 0c 83 26 00 6a 10 68 cc c3 41 00 57 e8 a0 e5 00 00 83 c4 0c 85 c0 75 07 8b 45 08 89 06 eb 56 6a 10 68 30 b4 41 00 57 e8 85 e5 00 00 83 c4 0c 85 c0 74 e5 6a 10 68 60 b4 41 00 57 e8 71 e5 00 00 83 c4 0c 85 c0 75 0a 8b 45 08 8b c8 8d 50 04 eb 1c 6a 10 68 80 b4 41 00 57 e8 53 e5 00 00 83 c4 0c 85 c0 75 17 8b 45 08 8b c8 8d 50 08 f7 d9 1b c9 23 ca 89 0e ff 40 10 33 c0 eb 05 b8 02 40 00 80 5f 5e 5d c2 0c 00 8b 44 24 04 ff 40 10 8b 40 10 c2 04 00 56 8b 74 24 08 ff 4e 10 Data Ascii: EH~`EVO(2EMAFAFAFA_^dUVuW}&jhAWuEVjh0AWtjh`AWquEPjhAWSuEP#@3@_^]D$@@Vt$N
2024-07-27 22:42:32 UTC	12792	IN	Data Raw: 16 03 c2 80 38 00 75 79 83 65 f8 00 c6 00 01 8b 46 0c 83 3f 00 8b 40 28 8b 0c 08 76 5b 89 4d fc ff 75 fc 8b 4e 0c e8 5f 00 00 00 84 c0 75 3c 8b 46 0c 83 65 08 00 8b 48 10 85 c9 76 15 8b 50 0c 8b 1a 3b 5d fc 74 35 ff 45 08 83 c2 08 39 4d 08 72 ee 83 c9 ff 85 c9 7c 28 8b 40 0c ff 74 c8 04 8b ce e8 76 ff ff ff 84 c0 74 16 ff 45 f8 ff 45 fc 8b 45 f8 3b 07 72 a8 b0 01 eb 07 8b 4d 08 eb d4 32 c0 5f 5e 5b c9 c2 04 00 8b 41 1c 33 d2 85 c0 56 76 13 8b 49 18 8b 31 3b 74 24 08 74 0b 42 83 c1 04 3b d0 72 f0 83 ca ff 33 c0 5e 85 d2 0f 9d c0 c2 04 00 56 8b f1 8b 46 0c 8b 50 04 e8 5c 49 00 00 8b 46 0c 8b ce ff 70 24 e8 0d ff ff ff 84 c0 74 1a 8b 4e 04 33 c0 85 c9 76 0d 8b 36 80 3c 06 00 74 09 40 3b c1 72 f5 b0 01 5e c3 32 c0 5e c3 83 61 2c 00 83 61 38 00 c3 b8 80 aa 41 Data Ascii: 8uyeF?@(v[MuN_u<FeHvP;]t5E9Mr\|(@tvtEEE;rM2_^[A3VvI1;t$tB;r3^VFP\IFp$tN3v6<t@;r^2^a,a8A
2024-07-27 22:42:32 UTC	6396	IN	Data Raw: 8b 01 00 00 75 10 38 88 8c 01 00 00 75 08 38 88 8e 01 00 00 74 67 6a 01 8d 4d f0 e8 cc 72 ff ff eb 5b 8b 45 08 33 d2 38 88 8c 01 00 00 74 03 6a 02 5a 38 88 8d 01 00 00 74 03 80 ce 01 3b d1 74 3c eb 31 8b 45 08 33 d2 38 88 88 01 00 00 75 03 6a 01 5a 38 88 8a 01 00 00 74 03 83 ca 02 38 88 8b 01 00 00 74 03 83 ca 20 38 88 8e 01 00 00 74 03 80 ce 01 52 8d 4d f0 e8 94 72 ff ff 56 8d 4d f0 ff 75 10 e8 95 73 ff ff 8d 4d f0 8b f0 e8 fc 72 ff ff 8b c6 5e c9 c2 0c 00 55 8b ec 83 ec 24 8b 55 08 53 56 83 fa ff 57 0f 84 b5 00 00 00 8b 41 78 8b 49 7c 8b 34 90 8b 44 90 04 83 65 e4 00 03 ce 2b c6 89 4d dc 8d 4d dc 89 45 e0 e8 6a 09 00 00 85 c0 89 45 f4 0f 84 87 00 00 00 8d 4d dc e8 ce 07 00 00 8b 4d e4 88 45 0b 83 e0 0f 6a 00 89 45 f8 8b 45 dc 5f 57 8d 34 01 5b 89 7d fc Data Ascii: u8u8tgjMr[E38tjZ8t;t<1E38ujZ8t8t 8tRMrVMusMr^U$USVWAxI\|4De+MMEjEMMEjEE_W4[}
2024-07-27 22:42:32 UTC	1084	IN	Data Raw: 00 00 00 83 65 08 00 83 7e 04 00 0f 86 d7 00 00 00 8b 45 08 8b 4e 24 c1 e0 02 89 45 0c 8b 04 08 85 c0 0f 84 b1 00 00 00 83 65 e4 00 83 65 e8 00 83 f8 01 76 4e 48 89 45 ec eb 03 8b 5d f0 8b 4b 38 e8 03 f0 ff ff 8b cf 89 45 d4 8b da e8 06 86 ff ff 8b 47 04 8b 17 8d 48 01 89 4f 04 8b 4d d4 01 4d e4 89 0c c2 89 5c c2 04 11 5d e8 39 5d e8 77 0c 72 05 39 4d e4 73 05 e8 eb ee ff ff ff 4d ec 75 b8 8b 56 34 8b 5d 08 8b 4e 2c 8b 46 28 0f b6 14 1a 8b 5d 0c 03 14 0b 8b 0c d0 89 4d cc 8b 5c d0 04 3b 5d e8 77 0c 72 05 3b 4d e4 73 05 e8 b5 ee ff ff 8b cf e8 9d 85 ff ff 8b 47 04 8b 17 8d 48 01 89 4f 04 8b 4d cc 2b 4d e4 1b 5d e8 89 0c c2 89 5c c2 04 8b 5d f0 ff 45 08 8b 45 08 3b 46 04 0f 82 29 ff ff ff 8b 4b 38 e8 59 ef ff ff 89 45 dc 89 55 e0 eb 75 33 db 39 5e 04 89 5d Data Ascii: e~EN$EeevNHE]K8EGHOMM\]9]wr9MsMuV4]N,F(]M\;]wr;MsGHOM+M]\]EE;F)K8YEUu39^]

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:33 UTC	326	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=e09076fb7be72413458f55a70553fc9fe7a788e10f08e18ca857b7883846325f User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 355 Host: d3cored83b0wp2.cloudfront.net
2024-07-27 22:42:33 UTC	355	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 30 37 32 37 31 38 34 31 35 34 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 41 64 76 69 73 6f 72 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 65 62 41 64 76 69 73 6f 72 5f 56 33 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 33 33 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c 22 2c 5c 22 37 5c 22 3a 5c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20240727184154\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"WebAdvisor\",\"18\":\"ZB_WebAdvisor_V3\",\"19\":\"\",\"21\":\"133\",\"6\":\"3\",\"7\":\
2024-07-27 22:42:34 UTC	428	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 27 Jul 2024 22:42:34 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 ed5042a23d5905bfac08effe99f4b1ce.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P12 X-Amz-Cf-Id: xxvlyeYLFZMxw05FdasCI61q6eq8g2XjzPiJW05Z9SlaThhJN5YMSw==
2024-07-27 22:42:34 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Timestamp	Bytes transferred	Direction	Data
2024-07-27 22:42:34 UTC	232	OUT	PUT /mosaic/2.0/product-web/am/v1/record HTTP/1.1 Connection: Keep-Alive Content-Type: application/json User-Agent: SA X-Api-Key: wtuQtD4DdA8poRbq0pzMh1iysE9YiVlC14kJF9ZI Content-Length: 311 Host: analytics.apis.mcafee.com
2024-07-27 22:42:34 UTC	311	OUT	Data Raw: 7b 22 44 61 74 61 22 3a 7b 22 4d 61 63 68 69 6e 65 5f 49 44 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 4f 53 22 3a 22 57 49 4e 22 2c 22 4f 53 5f 50 6c 61 74 66 6f 72 6d 22 3a 22 36 34 22 2c 22 4f 53 5f 56 65 72 73 69 6f 6e 22 3a 22 31 30 2e 30 2e 31 39 30 34 31 2e 31 38 38 39 22 2c 22 50 72 6f 64 75 63 74 5f 56 65 72 73 69 6f 6e 22 3a 22 34 2e 31 2e 31 2e 38 36 35 22 2c 22 55 55 49 44 22 3a 22 7b 44 42 30 43 46 36 41 30 2d 44 32 42 39 2d 34 34 42 37 2d 39 37 37 31 2d 34 34 36 30 42 44 35 38 37 31 30 44 7d 22 2c 22 65 61 22 3a 22 50 72 6f 63 65 73 73 22 2c 22 65 63 22 3a 22 42 6f 6f 74 53 74 72 61 70 49 6e 73 74 61 6c 6c 65 72 22 2c 22 65 6c 22 3a 22 53 74 61 72 74 65 64 22 Data Ascii: {"Data":{"Machine_ID":"9e146be9-c76a-4720-bcdb-53011b87bd06","OS":"WIN","OS_Platform":"64","OS_Version":"10.0.19041.1889","Product_Version":"4.1.1.865","UUID":"{DB0CF6A0-D2B9-44B7-9771-4460BD58710D}","ea":"Process","ec":"BootStrapInstaller","el":"Started"
2024-07-27 22:42:34 UTC	303	IN	HTTP/1.1 200 OK Date: Sat, 27 Jul 2024 22:42:34 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 16 Connection: close x-amz-id-2: nvLMh8ghQU2wbaZndGwbp++yO4L34716GmW93d5YDD6EJBq92G0eBYjgZXxFqCaIwKOx8bt9Vt2FbjHWVwKR4TnkD3/D9g8C x-amzn-RequestId: c0b0c488-2231-0506-9faf-be9276f00bf2
2024-07-27 22:42:34 UTC	16	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 22 6f 6b 22 7d Data Ascii: {"message":"ok"}