cobaltstrike | 4ab7098bdbc2377ff28ba47ff63b7416c45185e8d2480a7e4bf744b599322347

Analysis

max time kernel
680s
max time network
912s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2023 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DNSChanger.exe
Size

1.3MB
MD5

67691499320c0061269fe342e6a6ed7c
SHA1

d89fb1b05eee8217fb0fa30d1d284b1856225e5e
SHA256

4ab7098bdbc2377ff28ba47ff63b7416c45185e8d2480a7e4bf744b599322347
SHA512

abdf243ccb250a5545add00d2ba3d903464b013eaf285e6e0bed3274d7c9868cff33050281a3c1ffaa6b87cc147200f16a81b2838660eea437d54f4907097065
SSDEEP

24576:D4rvbuhZUTdN9MEMMdfSHk5BkA1BIlR4KHEolghnoxk:D4rbfMErSEcADor

Score

10^/10

cobaltstrike backdoor bootkit coreentity persistence spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Program Files\ReasonLabs\EPP\mc.dll	coreentity

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

279 4084 rundll32.exe
281 4084 rundll32.exe
285 4084 rundll32.exe
288 4084 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

flow	pid	process
279	4084	rundll32.exe
281	4084	rundll32.exe
285	4084	rundll32.exe
288	4084	rundll32.exe

Drops file in Drivers directory 5 IoCs

Processes:

RAVEndPointProtection-installer.exeSaferWeb-installer.exe

description	ioc	process
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\ = "AVG Secure Browser"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\StubPath = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\114.0.21608.200\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{48F69C39-1356-4A7B-A899-70E3539D4982}\Localized Name = "AVG Secure Browser"	setup.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AVGBrowserUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe\DisableExceptionChainValidation = "0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGBrowserUpdate.exe	AVGBrowserUpdate.exe

Executes dropped EXE 64 IoCs

Processes:

Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmpprod0.exesaBSI.exe41qqitew.exeavg_secure_browser_setup.exeRAVEndPointProtection-installer.exesaBSI.exeAVGBrowserUpdateSetup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exersSyncSvc.exersSyncSvc.exeinstaller.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeinstaller.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeServiceHost.exeUIHost.exeServiceHost.exeAVGBrowser.exesetup.exesetup.exeServiceHost.exesetup.exesetup.exeServiceHost.exeAVGBrowser.exeAVGBrowser.exersWSC.exersWSC.exersClientSvc.exersClientSvc.exersEngineSvc.exersEngineSvc.exez0wku0yb.exeSaferWeb-installer.exeAVGBrowserCrashHandler.exeAVGBrowser.exeServiceHost.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exeelevation_service.exeAVGBrowser.exeAVGBrowser.exersVPNClientSvc.exersVPNClientSvc.exersVPNSvc.exersVPNSvc.exe

pid	process
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
420	prod0.exe
4084	saBSI.exe
4352	41qqitew.exe
832	avg_secure_browser_setup.exe
468	RAVEndPointProtection-installer.exe
3320	saBSI.exe
4968	AVGBrowserUpdateSetup.exe
5320	AVGBrowserUpdate.exe
4988	AVGBrowserUpdate.exe
2656	rsSyncSvc.exe
4056	rsSyncSvc.exe
5080	installer.exe
5124	AVGBrowserUpdate.exe
5304	AVGBrowserUpdateComRegisterShell64.exe
5724	AVGBrowserUpdateComRegisterShell64.exe
5768	installer.exe
5820	AVGBrowserUpdateComRegisterShell64.exe
5904	AVGBrowserUpdate.exe
5940	AVGBrowserUpdate.exe
5996	AVGBrowserUpdate.exe
5436	ServiceHost.exe
5632	UIHost.exe
5284	ServiceHost.exe
3284	AVGBrowser.exe
5236	setup.exe
4572	setup.exe
2292	ServiceHost.exe
1704	setup.exe
5364	setup.exe
5916	ServiceHost.exe
5292	AVGBrowser.exe
2648	AVGBrowser.exe
1616	rsWSC.exe
5600	rsWSC.exe
860	rsClientSvc.exe
6028	rsClientSvc.exe
6704	rsEngineSvc.exe
5988	rsEngineSvc.exe
6404	z0wku0yb.exe
6988	SaferWeb-installer.exe
6980	AVGBrowserCrashHandler.exe
6104	AVGBrowser.exe
5816	ServiceHost.exe
6108	AVGBrowser.exe
5704	AVGBrowser.exe
5804	AVGBrowser.exe
6328	AVGBrowser.exe
6508	elevation_service.exe
780	AVGBrowser.exe
4000	elevation_service.exe
876	AVGBrowser.exe
4296	AVGBrowser.exe
5552	AVGBrowser.exe
6104	AVGBrowser.exe
5356	AVGBrowser.exe
6288	AVGBrowser.exe
5784	elevation_service.exe
1148	AVGBrowser.exe
924	AVGBrowser.exe
6004	rsVPNClientSvc.exe
2464	rsVPNClientSvc.exe
5548	rsVPNSvc.exe
6488	rsVPNSvc.exe

Loads dropped DLL 64 IoCs

Processes:

Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp41qqitew.exeavg_secure_browser_setup.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowser.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeRAVEndPointProtection-installer.exeUIHost.exeServiceHost.exeregsvr32.exeServiceHost.exeServiceHost.exeServiceHost.exeAVGBrowser.exeAVGBrowser.exez0wku0yb.exersEngineSvc.exeSaferWeb-installer.exe

pid	process
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
4352	41qqitew.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
5320	AVGBrowserUpdate.exe
4988	AVGBrowserUpdate.exe
5124	AVGBrowserUpdate.exe
5304	AVGBrowserUpdateComRegisterShell64.exe
5124	AVGBrowserUpdate.exe
5724	AVGBrowserUpdateComRegisterShell64.exe
5124	AVGBrowserUpdate.exe
5820	AVGBrowserUpdateComRegisterShell64.exe
5124	AVGBrowserUpdate.exe
5320	AVGBrowserUpdate.exe
5320	AVGBrowser.exe
5904	AVGBrowserUpdate.exe
5940	AVGBrowserUpdate.exe
5996	AVGBrowserUpdate.exe
5996	AVGBrowserUpdate.exe
5940	AVGBrowserUpdate.exe
5996	AVGBrowserUpdate.exe
5912	AVGBrowser.exe
472	AVGBrowser.exe
468	RAVEndPointProtection-installer.exe
5632	UIHost.exe
5436	ServiceHost.exe
2244	regsvr32.exe
5436	ServiceHost.exe
5436	ServiceHost.exe
5436	ServiceHost.exe
5436	ServiceHost.exe
5436	ServiceHost.exe
5632	UIHost.exe
5436	ServiceHost.exe
468	RAVEndPointProtection-installer.exe
5632	UIHost.exe
5284	ServiceHost.exe
5284	ServiceHost.exe
5284	ServiceHost.exe
5284	ServiceHost.exe
5284	ServiceHost.exe
2292	ServiceHost.exe
2292	ServiceHost.exe
2292	ServiceHost.exe
2292	ServiceHost.exe
2292	ServiceHost.exe
5916	ServiceHost.exe
5916	ServiceHost.exe
5916	ServiceHost.exe
5292	AVGBrowser.exe
5916	ServiceHost.exe
5916	ServiceHost.exe
2648	AVGBrowser.exe
6404	z0wku0yb.exe
5988	rsEngineSvc.exe
6988	SaferWeb-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

AVGBrowserUpdateComRegisterShell64.exesetup.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exeregsvr32.exeAVGBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\114.0.21608.200\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	AVGBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{85E3A60D-9214-46A6-A266-312981649DC1}\InProcServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	AVGBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0929891C-854C-4BFF-AE54-7EE10636719D}\InprocServer32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	AVGBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A725D612-7D72-48B8-857A-4777781F415C}\LocalServer32\ = "\"C:\\Program Files (x86)\\AVG\\Browser\\Application\\114.0.21608.200\\notification_helper.exe\""	setup.exe

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

rsEngineSvc.exe

description ioc process

File opened (read-only) \??\F: rsEngineSvc.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

158 api.ipify.org
161 api.ipify.org
251 api.ipify.org

description	ioc	process
File opened (read-only)	\??\F:	rsEngineSvc.exe

flow	ioc
158	api.ipify.org
161	api.ipify.org
251	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

avg_secure_browser_setup.exeAVGBrowser.exeAVGBrowserUpdate.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowserUpdate.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe
File opened for modification	\??\PhysicalDrive0	AVGBrowser.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Drops file in System32 directory 59 IoCs

Processes:

rsEngineSvc.exersVPNSvc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_EB6311D6BD62C56F7F34EB13A854FC06	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_A3967EF9456B202405F18F5A4951E2EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_4B7EBDACFF7CEC3D08B5D86C9ECA8639	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4B7EBDACFF7CEC3D08B5D86C9ECA8639	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_EB6311D6BD62C56F7F34EB13A854FC06	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_A3967EF9456B202405F18F5A4951E2EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_4685A9D363653D71136A6ED138C7A6AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D5824721AFCD338CB437BB54334D6F98	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D5824721AFCD338CB437BB54334D6F98	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_4685A9D363653D71136A6ED138C7A6AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\206932163209AD483A44477E28192474	rsEngineSvc.exe

Drops file in Program Files directory 64 IoCs

Processes:

SaferWeb-installer.exeinstaller.exeRAVEndPointProtection-installer.exeinstaller.exeServiceHost.exesetup.exeAVGBrowserUpdateSetup.exe

description	ioc	process
File created	C:\Program Files\ReasonLabs\DNS\de\Microsoft.Win32.TaskScheduler.resources.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\Temp1287704949\wa_install_error.png	installer.exe
File created	C:\Program Files\McAfee\Temp1287704949\jslang\wa-res-install-pt-PT.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1287704949\uninstaller.cab	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\ipc_stats_handler.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.2.0\locales\fi.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Security.Cryptography.Primitives.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\engine.js	ServiceHost.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5236_346911410\Safer-bin\114.0.21608.200\mimic.dll	setup.exe
File created	C:\Program Files\ReasonLabs\DNS\x64\7z64.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\Temp1287704949\lookupmanager.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\uihandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ss-toast-variants.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-zh-TW.js	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsLogger.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\fr\Microsoft.Win32.TaskScheduler.resources.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\toggle_ext_on_guide.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wpssuitestatus.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsseuladate.luc	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsEngine.Loggers.Business.dll	SaferWeb-installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1287704949\webadvisor.cab	installer.exe
File created	C:\Program Files\ReasonLabs\VPN\Newtonsoft.Json.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Net.Requests.dll	SaferWeb-installer.exe
File created	C:\Program Files (x86)\GUMB246.tmp\goopdate.dll	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-common.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-fi-FI.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1287704949\servicehost.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\custom-checkbox.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\analyticseventhandler.luc	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Net.WebSockets.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_da.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files (x86)\AVG\Browser\Temp\source5236_346911410\Safer-bin\114.0.21608.200\vulkan-1.dll	setup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_questionmark.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsspackagetype.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsHelper.exe	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe	setup.exe
File created	C:\Program Files\ReasonLabs\VPN\x86\SQLite.Interop.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\Temp1287704949\jslang\eula-pt-BR.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-ko-KR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.Sockets.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Linq.dll	SaferWeb-installer.exe
File created	C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdate.exe	AVGBrowserUpdateSetup.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast-wss.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\smareputationcounter.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\arm64\msvcp140.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\x86\ext_x86.dll	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\Temp1287704949\uninstaller.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-checklist-risk.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\telemetryversion.luc	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\lists\basic_ads_block.txt	SaferWeb-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\heronerrorslog.luc	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\rules.js	ServiceHost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

5220 sc.exe
5300 sc.exe
5284 sc.exe
2016 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5220	sc.exe
5300	sc.exe
5284	sc.exe
2016	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6728	5436	WerFault.exe	ServiceHost.exe
6840	5284	WerFault.exe	ServiceHost.exe
5692	2292	WerFault.exe	ServiceHost.exe
6360	5916	WerFault.exe	ServiceHost.exe
6668	5816	WerFault.exe	ServiceHost.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1888 ipconfig.exe

pid	process
1888	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

AVGBrowser.exeAVGBrowserUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\Policy = "3"	AVGBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppName = "AVGBrowserUpdateWebPlugin.exe"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowserUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{513C6D01-E4A3-4F34-9BD9-3D83C35A3498}\Policy = "3"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}	AVGBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppName = "AVGBrowserUpdateBroker.exe"	AVGBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28E08968-59C8-4A77-BEBA-12C9394AE077}\AppPath = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3"	AVGBrowser.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

rsWSC.exeServiceHost.exeServiceHost.exersEngineSvc.exeServiceHost.exeAVGBrowserUpdate.exeServiceHost.exeAVGBrowser.exeServiceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\endpoint = "update.avgbrowser.com"	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133353484840798474"	AVGBrowser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AVG\Browser\Update\	AVGBrowserUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe

Modifies registry class 64 IoCs

Processes:

AVGBrowserUpdate.exeAVGBrowserUpdate.exeAVGBrowserUpdateComRegisterShell64.exeAVGBrowserUpdateComRegisterShell64.exesetup.exeAVGBrowserUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreClass\ = "Google Update Core Class"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ThreadingModel = "Both"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgHTML\DefaultIcon\ = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\ = "IAppVersion"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\CLSID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\VersionIndependentProgID\ = "AVGUpdate.CoreMachineClass"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\NumMethods\ = "17"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A42B2494-93AE-44E1-B76D-BA8509A5167D}\ = "GoogleUpdate Update3Web"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "AvgHTML"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B02B2F29-8637-4B78-892A-CFD7CCE793EC}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7B73E65-20BA-407F-8A89-DF649EF82559}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoreMachineClass.1\CLSID\ = "{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{633D953B-278A-4DAC-8E4B-D15296A1C845}\ProgID\ = "AVGUpdate.Update3WebSvc.1.0"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\ProxyStubClsid32	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync\CLSID\ = "{B80EC6B9-55FF-4E4F-B4E8-9BD098DBBAA5}"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BAAD654E-4B50-4C9F-A261-CF29CF884478}\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgQH\Capabilities\URLAssociations\microsoft-edge = "AvgQH"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}\ = "Google Update Legacy On Demand"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8159E37-5EDF-4E6D-8E6D-E558E8DDC2A0}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67F69D86-C3AA-4CBF-A536-C73B5D785FFC}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A01E2077-A5A9-4229-8BC1-AB2D43564381}\InprocHandler32\ = "C:\\Program Files (x86)\\AVG\\Browser\\Update\\1.8.1582.3\\psmachine_64.dll"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37D9308-A3C0-4EC3-87C5-222235C974E3}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9E6B2FC-34C6-435F-BC66-1EA330DB1270}\ProxyStubClsid32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\AvgHTML	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59577BB5-F97B-4880-B785-510238C5C5CE}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{925547A3-663F-4673-A7B7-3FCACCDC4879}\ = "IAppCommand"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\.xhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "AvgHTML"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{384098DD-AB6D-412E-B819-2F10032D9767}\VersionIndependentProgID\ = "AVGUpdate.CoreClass"	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0BE1521-7935-42E6-B606-058A559910BA}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\NumMethods\ = "17"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\https\DefaultIcon\ = "C:\\Program Files (x86)\\AVG\\Browser\\Application\\AVGBrowser.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30612A81-C10F-498E-9163-C2B2A3F81A14}	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C50E3A4-12A8-41FB-9941-E8EEB222E07E}\ = "IProcessLauncher2"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DAE1732-F855-42A3-9D28-B7F6E291ECCD}	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.CoCreateAsync.1.0\ = "CoCreateAsync"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A012A499-D8A6-4F6C-9E05-B02D58E3781A}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23AE0B95-20F3-4632-A2AE-C3D706E1D5D9}\LocalServer32	AVGBrowserUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82C85EAA-7C94-4702-AA75-DF39403AE358}\VersionIndependentProgID	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CCD3788-C8CC-4EE9-8DF7-944B7D9674F2}\NumMethods\ = "10"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E21E991-301D-47FD-AB7A-99FBE864EF65}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AvgQH\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C0BAA6C-52FD-4A3F-8731-F588C5E8F191}\ProxyStubClsid32\ = "{85E3A60D-9214-46A6-A266-312981649DC1}"	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C7E81D6-0463-485E-8DF5-2ADAD81FAF40}\ = "IGoogleUpdate3Web"	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{804EC8ED-BF49-41ED-BCD0-CA1D716D3E98}\ProxyStubClsid32	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BA03866-1403-40EA-81A9-23FCD97810E2}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C32E10AE-6600-4A1E-8BEA-EF89A3072F93}\NumMethods	AVGBrowserUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\ = "Google Update Process Launcher Class"	AVGBrowserUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVGUpdate.ProcessLauncher.1.0\CLSID\ = "{E37D9308-A3C0-4EC3-87C5-222235C974E3}"	AVGBrowserUpdate.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rundll32.exersEngineSvc.exersEngineSvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 270 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	270	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exePrecision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmpsaBSI.exeavg_secure_browser_setup.exe

pid	process
3796	msedge.exe
3796	msedge.exe
4976	msedge.exe
4976	msedge.exe
2552	identity_helper.exe
2552	identity_helper.exe
4364	msedge.exe
4364	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
4084	saBSI.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe
832	avg_secure_browser_setup.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

fltmc.exe

pid process

6160 fltmc.exe
660
660

pid	process
6160	fltmc.exe
660
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

Processes:

msedge.exeAVGBrowser.exeAVGBrowser.exeAVGBrowser.exe

pid	process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
6108	AVGBrowser.exe
6108	AVGBrowser.exe
6108	AVGBrowser.exe
6304	AVGBrowser.exe
6304	AVGBrowser.exe
6304	AVGBrowser.exe
6304	AVGBrowser.exe
6304	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DNSChanger.exeprod0.exeRAVEndPointProtection-installer.exeAVGBrowserUpdate.exeAVGBrowser.exewevtutil.exefltmc.exewevtutil.exersWSC.exersWSC.exersEngineSvc.exersEngineSvc.exeSaferWeb-installer.exeAVGBrowser.exeavg_secure_browser_setup.exeAVGBrowser.exersVPNSvc.exersVPNSvc.exeAVGBrowser.exe

description	pid	process
Token: SeDebugPrivilege	872	DNSChanger.exe
Token: SeDebugPrivilege	420	prod0.exe
Token: SeDebugPrivilege	468	RAVEndPointProtection-installer.exe
Token: SeDebugPrivilege	5320	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	5320	AVGBrowserUpdate.exe
Token: SeDebugPrivilege	5320	AVGBrowserUpdate.exe
Token: 33	3284	AVGBrowser.exe
Token: SeIncBasePriorityPrivilege	3284	AVGBrowser.exe
Token: SeDebugPrivilege	468	RAVEndPointProtection-installer.exe
Token: SeSecurityPrivilege	6804	wevtutil.exe
Token: SeBackupPrivilege	6804	wevtutil.exe
Token: SeLoadDriverPrivilege	6160	fltmc.exe
Token: SeSecurityPrivilege	4592	wevtutil.exe
Token: SeBackupPrivilege	4592	wevtutil.exe
Token: SeDebugPrivilege	1616	rsWSC.exe
Token: SeDebugPrivilege	5600	rsWSC.exe
Token: SeDebugPrivilege	6704	rsEngineSvc.exe
Token: SeDebugPrivilege	6704	rsEngineSvc.exe
Token: SeDebugPrivilege	6704	rsEngineSvc.exe
Token: SeBackupPrivilege	6704	rsEngineSvc.exe
Token: SeRestorePrivilege	6704	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	6704	rsEngineSvc.exe
Token: SeDebugPrivilege	5988	rsEngineSvc.exe
Token: SeDebugPrivilege	5988	rsEngineSvc.exe
Token: SeDebugPrivilege	5988	rsEngineSvc.exe
Token: SeBackupPrivilege	5988	rsEngineSvc.exe
Token: SeRestorePrivilege	5988	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	5988	rsEngineSvc.exe
Token: SeDebugPrivilege	6988	SaferWeb-installer.exe
Token: SeDebugPrivilege	5320	AVGBrowser.exe
Token: SeIncreaseQuotaPrivilege	832	avg_secure_browser_setup.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeDebugPrivilege	6988	SaferWeb-installer.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeShutdownPrivilege	6108	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6108	AVGBrowser.exe
Token: SeDebugPrivilege	5548	rsVPNSvc.exe
Token: SeDebugPrivilege	5548	rsVPNSvc.exe
Token: SeDebugPrivilege	5548	rsVPNSvc.exe
Token: SeBackupPrivilege	5548	rsVPNSvc.exe
Token: SeRestorePrivilege	5548	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	5548	rsVPNSvc.exe
Token: SeDebugPrivilege	6488	rsVPNSvc.exe
Token: SeDebugPrivilege	6488	rsVPNSvc.exe
Token: SeDebugPrivilege	6488	rsVPNSvc.exe
Token: SeBackupPrivilege	6488	rsVPNSvc.exe
Token: SeRestorePrivilege	6488	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	6488	rsVPNSvc.exe
Token: SeIncreaseQuotaPrivilege	832	avg_secure_browser_setup.exe
Token: SeDebugPrivilege	6488	rsVPNSvc.exe
Token: SeDebugPrivilege	6488	rsVPNSvc.exe
Token: SeBackupPrivilege	6488	rsVPNSvc.exe
Token: SeRestorePrivilege	6488	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	6488	rsVPNSvc.exe
Token: SeShutdownPrivilege	6304	AVGBrowser.exe
Token: SeCreatePagefilePrivilege	6304	AVGBrowser.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exePrecision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmpAVGBrowser.exeAVGBrowser.exersAppUI.exersAppUI.exe

pid	process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
2588	Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
5292	AVGBrowser.exe
7408	AVGBrowser.exe
7408	AVGBrowser.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7408	AVGBrowser.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

msedge.exersAppUI.exersAppUI.exe

pid	process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
5860	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe
7588	rsAppUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DNSChanger.exemsedge.exe

description	pid	process	target process
PID 872 wrote to memory of 2568	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 2568	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 2116	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 2116	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 4496	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 4496	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 1192	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 1192	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 1800	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 1800	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 616	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 616	872	DNSChanger.exe	netsh.exe
PID 4976 wrote to memory of 1588	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 1588	4976	msedge.exe	msedge.exe
PID 872 wrote to memory of 5092	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 5092	872	DNSChanger.exe	netsh.exe
PID 872 wrote to memory of 1888	872	DNSChanger.exe	ipconfig.exe
PID 872 wrote to memory of 1888	872	DNSChanger.exe	ipconfig.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3992	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3796	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 3796	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 1752	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 1752	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 1752	4976	msedge.exe	msedge.exe
PID 4976 wrote to memory of 1752	4976	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\DNSChanger.exe
"C:\Users\Admin\AppData\Local\Temp\DNSChanger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SYSTEM32\netsh.exe
"netsh" int show interface
2⤵
PID:2568

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv4 show dns "Ethernet"
2⤵
PID:2116

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv6 show dns "Ethernet"
2⤵
PID:4496

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv4 set dns "Ethernet" static 1.1.1.1 primary validate=no
2⤵
PID:1192

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv4 add dns "Ethernet" 1.0.0.1 index=2 validate=no
2⤵
PID:1800

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv6 set dns "Ethernet" static 2606:4700:4700::1111 primary validate=no
2⤵
PID:616

C:\Windows\SYSTEM32\netsh.exe
"netsh" int ipv6 add dns "Ethernet" 2606:4700:4700::1001 index=2 validate=no
2⤵
PID:5092

C:\Windows\SYSTEM32\ipconfig.exe
"ipconfig" /flushdns
2⤵
- Gathers network information
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85f6746f8,0x7ff85f674708,0x7ff85f674718
2⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
2⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
2⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
2⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
2⤵
PID:332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
2⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6656 /prefetch:8
2⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7056 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
2⤵
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 /prefetch:8
2⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1376 /prefetch:8
2⤵
PID:8184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:8
2⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4240 /prefetch:8
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6568 /prefetch:8
2⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
2⤵
PID:348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1252613171314681719,10220365789018652408,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
2⤵
PID:3772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\Temp1_Precision Targeting GUI - Linkvertise Downloader.zip\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Precision Targeting GUI - Linkvertise Downloader.zip\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.exe"
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\is-IAD7E.tmp\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IAD7E.tmp\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp" /SL5="$202EC,10373288,1230848,C:\Users\Admin\AppData\Local\Temp\Temp1_Precision Targeting GUI - Linkvertise Downloader.zip\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2588

C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod0.exe
"C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod0.exe" -ip:"dui=f99eb88b-8818-423d-beb8-51f1b1c0c9e4&dit=20230801072436&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=a371&a=100&b=em&se=true" -vp:"dui=f99eb88b-8818-423d-beb8-51f1b1c0c9e4&dit=20230801072436&oc=ZB_RAV_Cross_Tri_NCB&p=a371&a=100&oip=26&ptl=7&dta=true" -dp:"dui=f99eb88b-8818-423d-beb8-51f1b1c0c9e4&dit=20230801072436&oc=ZB_RAV_Cross_Tri_NCB&p=a371&a=100" -i -v -d -se=true
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Users\Admin\AppData\Local\Temp\41qqitew.exe
"C:\Users\Admin\AppData\Local\Temp\41qqitew.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4352

C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\41qqitew.exe" /silent
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
- Executes dropped EXE
PID:2656

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
6⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies system certificate store
PID:4084

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
PID:6892

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:5716

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6804

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
6⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:6160

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
6⤵
- Executes dropped EXE
PID:860

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:6704

C:\Users\Admin\AppData\Local\Temp\z0wku0yb.exe
"C:\Users\Admin\AppData\Local\Temp\z0wku0yb.exe" /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6404

C:\Users\Admin\AppData\Local\Temp\nsj1709.tmp\RAVVPN-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsj1709.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\z0wku0yb.exe" /silent
5⤵
PID:6988

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i
6⤵
- Executes dropped EXE
PID:6004

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Users\Admin\AppData\Local\Temp\kfen5luu.exe
"C:\Users\Admin\AppData\Local\Temp\kfen5luu.exe" /silent
4⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\SaferWeb-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\kfen5luu.exe" /silent
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6988

\??\c:\windows\system32\rundll32.exe
"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
6⤵
- Adds Run key to start application
PID:8564

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
PID:8632

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:8740

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i
6⤵
PID:6084

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
6⤵
PID:5092

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i
6⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1_extract\saBSI.exe" /affid 91088 PaidDistribution=true
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91088 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update
4⤵
- Executes dropped EXE
PID:3320

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5080

C:\Program Files\McAfee\Temp1287704949\installer.exe
"C:\Program Files\McAfee\Temp1287704949\installer.exe" /setOem:Affid=91088 /s /thirdparty /upgrade
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5768

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
PID:1656

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
8⤵
PID:5912

C:\Windows\SYSTEM32\sc.exe
sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:5220

C:\Windows\SYSTEM32\sc.exe
sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"
7⤵
- Launches sc.exe
PID:5300

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
7⤵
PID:472

C:\Windows\SYSTEM32\sc.exe
sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0
7⤵
- Launches sc.exe
PID:5284

C:\Windows\SYSTEM32\sc.exe
sc.exe start "McAfee WebAdvisor"
7⤵
- Launches sc.exe
PID:2016

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
7⤵
PID:5248

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"
8⤵
PID:5632

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"
7⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:2244

C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2_extract\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV5z36rhNLeK6vjyXGpdKASCbBe9XQKBYZIJhpamMJtOVvlBmSxw42tRhPIT5CGWNlNKIPaZTbdiI /make-default
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\AVGBrowserUpdateSetup.exe
AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9227&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4968

C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdate.exe
"C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9227&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing"
5⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4988

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5124

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5304

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5724

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserUpdateComRegisterShell64.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5820

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTU4Mi4zIiBzaGVsbF92ZXJzaW9uPSIxLjguMTU4Mi4zIiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0ie0Y5NkExRDVGLTIwNjMtNDc4Ny05ODI1LTU3NDY0M0YwREUwM30iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9IntFQ0RCNjc0RS1EOERBLTQwQjItQjc3Mi1BRjQ3OThEOUM3Mzl9IiB1c2VyaWRfZGF0ZT0iMjAyMzA4MDEiIG1hY2hpbmVpZD0iezAwMDA1OEQ0LUIyN0EtMDEyQi05RTNFLTQ1NDE0NzFFNkM2OX0iIG1hY2hpbmVpZF9kYXRlPSIyMDIzMDgwMSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9Ins1QThDMjk0Ri04MUZBLTQ3OEUtODFCNi0zQTI0OTY5QUNFNjl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNTgyLjMiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTIyNyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTE0OTgiLz48L2FwcD48L3JlcXVlc3Q-
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5904

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9227&installargs=--make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome --private-browsing" /installsource otherinstallcmd /sessionid "{F96A1D5F-2063-4787-9825-574643F0DE03}" /silent
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5940

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --heartbeat --install --create-profile
4⤵
PID:6108

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85737ea00,0x7ff85737ea10,0x7ff85737ea20
5⤵
- Executes dropped EXE
PID:5704

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2528 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:780

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2164 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:6328

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2012 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:2
5⤵
- Executes dropped EXE
PID:5804

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
PID:4000

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3688 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:1
5⤵
- Executes dropped EXE
PID:876

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3744 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:1
5⤵
- Executes dropped EXE
PID:4296

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3928 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:1
5⤵
- Executes dropped EXE
PID:5552

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3900 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:6104

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:5356

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4252 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:6288

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
PID:1148

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=2052,i,13772444231634688354,2112176326339453873,262144 /prefetch:8
5⤵
- Executes dropped EXE
PID:924

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --silent-launch
4⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:6304

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85737ea00,0x7ff85737ea10,0x7ff85737ea20
5⤵
PID:5772

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2236 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:2
5⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:5320

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2492 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6196

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2280 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6440

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3344 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:220

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3636 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
- Loads dropped DLL
PID:5912

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3780 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:4956

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3800 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6752

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4104 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:728

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4256 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:5900

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:2372

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6504

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4088 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:5216

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6168

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6136

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6380

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5224 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:7148

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5376 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:2380

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:5624

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4064 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:5836

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5796 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
- Loads dropped DLL
- Registers COM server for autorun
PID:472

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:6600

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3736 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:1
5⤵
PID:7704

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6284 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:1
5⤵
PID:6412

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6312 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:1
5⤵
PID:7792

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:8
5⤵
PID:7216

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4360 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:1
5⤵
PID:7152

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6800 --field-trial-handle=2240,i,9743361294149304294,1485932910707247992,262144 /prefetch:1
5⤵
PID:956

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
AVGBrowser.exe --check-run=src=installer
4⤵
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:7408

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85737ea00,0x7ff85737ea10,0x7ff85737ea20
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2480 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:2
5⤵
PID:7856

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2596 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:7884

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2520 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:7892

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3148 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:7832

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3432 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:1480

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4024 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3132 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:6788

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4408 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:2480

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4560 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:6272

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:6584

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
PID:7688

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --disable-protect
5⤵
PID:6276

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\AVG\Browser\User Data" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85737ea00,0x7ff85737ea10,0x7ff85737ea20
6⤵
PID:4600

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:6368

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6592 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:5928

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 has-startpin "C:\Users\Public\Desktop\AVG Secure Browser.lnk"
5⤵
PID:7036

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:220

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4420 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:8884

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4680 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:9104

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4656 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:9148

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6188 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:5896

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6048 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:1
5⤵
PID:8304

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=5184 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:2
5⤵
PID:8020

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=2484,i,15853810335340437906,13868358147403764386,262144 /prefetch:8
5⤵
PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://s3.eu-central-1.amazonaws.com/adlocis.linkvertise.links/pastes/145268061.txt?X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA6L5L3NKTBHJ3YVHU/20230801/eu-central-1/s3/aws4_request&X-Amz-Date=20230801T072408Z&X-Amz-SignedHeaders=host&X-Amz-Expires=432000&X-Amz-Signature=1c0aedae0c82127e91e71a581f5489cb01477caff3a49fc8f58e350432b1a660
3⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85f6746f8,0x7ff85f674708,0x7ff85f674718
4⤵
PID:6116

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4056

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:5996

C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\AVGBrowserInstaller.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=2 --default-search=yahoo.com --adblock-mode-default=2 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --private-browsing --system-level
2⤵
PID:3284

C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=2 --default-search=yahoo.com --adblock-mode-default=2 --make-chrome-default --force-default-win10 --reset-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --private-browsing --system-level
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:5236

C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff64bb27fa0,0x7ff64bb27fb0,0x7ff64bb27fc0
4⤵
- Executes dropped EXE
PID:4572

C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe" --system-level --verbose-logging --installerdata="C:\Program Files (x86)\AVG\Browser\Temp\source5236_346911410\Safer-bin\master_preferences" --create-shortcuts=0 --install-level=1
4⤵
- Executes dropped EXE
PID:1704

C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe
"C:\Program Files (x86)\AVG\Browser\Update\Install\{E033C1E7-44D3-4C60-8A93-29C98294BF73}\CR_14583.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=114.0.21608.200 --initial-client-data=0x274,0x278,0x27c,0x250,0x280,0x7ff64bb27fa0,0x7ff64bb27fb0,0x7ff64bb27fc0
5⤵
- Executes dropped EXE
PID:5364

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 taskbarpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5292

C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe
"C:\Program Files (x86)\AVG\Browser\Application\AVGBrowser.exe" --type=shortcut-pin-helper /prefetch:8 startpin "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Secure Browser.lnk"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe"
2⤵
PID:6104

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:6980

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5436

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5436 -s 2852
2⤵
- Program crash
PID:6728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 5436 -ip 5436
1⤵
PID:6660

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5284 -s 1984
2⤵
- Program crash
PID:6840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 5284 -ip 5284
1⤵
PID:6532

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2292 -s 2284
2⤵
- Program crash
PID:5692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2292 -ip 2292
1⤵
PID:6944

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5916 -s 2228
2⤵
- Program crash
PID:6360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5916 -ip 5916
1⤵
PID:6320

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:6028

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5988

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
PID:8028

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
PID:7612

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7588

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 --field-trial-handle=2304,i,15697292159253799477,6029184139290164133,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:7976

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.2.0\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2644 --field-trial-handle=2304,i,15697292159253799477,6029184139290164133,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:7996

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2484 --field-trial-handle=2304,i,15697292159253799477,6029184139290164133,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:5868

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.2.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4032 --field-trial-handle=2304,i,15697292159253799477,6029184139290164133,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:7600

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2960 --field-trial-handle=2304,i,15697292159253799477,6029184139290164133,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:8116

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
PID:3956

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5816 -s 2232
2⤵
- Program crash
PID:6668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 5816 -ip 5816
1⤵
PID:2572

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:6508

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5784

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:6488

\??\c:\program files\reasonlabs\VPN\ui\VPN.exe
"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
2⤵
PID:6472

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5860

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 --field-trial-handle=2292,i,5110581396500696483,1663853751613870315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:2540

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2556 --field-trial-handle=2292,i,5110581396500696483,1663853751613870315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:2452

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.2.0\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2860 --field-trial-handle=2292,i,5110581396500696483,1663853751613870315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:7712

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.2.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3296 --field-trial-handle=2292,i,5110581396500696483,1663853751613870315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:1268

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3884 --field-trial-handle=2292,i,5110581396500696483,1663853751613870315,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:5720

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
PID:4896

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
PID:6036

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
PID:408

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe
"C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7064

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
PID:8980

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
PID:3776

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
PID:9060

\??\c:\program files\reasonlabs\DNS\ui\DNS.exe
"c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
2⤵
PID:8088

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
3⤵
PID:7864

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 --field-trial-handle=2224,i,6627132997260241444,6313488062664362678,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:3232

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2460 --field-trial-handle=2224,i,6627132997260241444,6313488062664362678,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
PID:1144

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.2.0\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2924 --field-trial-handle=2224,i,6627132997260241444,6313488062664362678,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
PID:8364

C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.2.0\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 --field-trial-handle=2224,i,6627132997260241444,6313488062664362678,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
PID:9016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2708

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /c
1⤵
PID:8420

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /cr
2⤵
PID:5488

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe"
2⤵
PID:8576

C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
"C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe"
2⤵
PID:6076

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ua /installsource scheduler
1⤵
PID:8412

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /registermsihelper
2⤵
PID:6428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:9028

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
PID:5948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVG\Browser\Application\114.0.21608.200\Installer\setup.exe
Filesize
4.7MB

MD5
4e169317e3e8e9579832090ba86ba937

SHA1
085d8f8378143af1b09f312cb19d2c91af4a92d1

SHA256
6361555684837e4c1d77a4889e4439408518d34665c0edea92a51515230946b9

SHA512
299827bed0e50c01630dce3a3e450b64d1ad1e627f10c5bbd35097ce800d04ea1f674b34f7e93fe6809a79b3198cea70cd92e1a0b8d9128cd3c64b6fe4a9ef28

Download Submit
C:\Program Files (x86)\AVG\Browser\Application\SetupMetrics\20230801072619.pma
Filesize
2KB

MD5
568d3ec077046bfc7b2f5c37623377d3

SHA1
d70e2136c1af223fc1a067bd07549fe3f2746224

SHA256
665fcd8bd63884f1900d8b0c0fcc6a81776d995989a6688cff0a477f0ef975b6

SHA512
91510cdf28c721399f02079c02a4e826a4cec66d1b66f5009d204dedadcaebee8663875fd6b074420fdbbae0957bd4dd1e65b1996bf4f5d26ae9efa58df5f546

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler.exe
Filesize
149KB

MD5
ad2e402663cf92613e1ffd1d04bcdeb2

SHA1
cea9b5d96b47cf9c82254593ba12b50b97fa59f0

SHA256
c72b63a6b690352af20405cb0e9ab84951ee116f417a2b6462859242bac4137b

SHA512
94a86ab826c969af54c9be213e1bb282f0125d645bc865a014d3421caf93467f01ae01cc9fcac3c79c05b1e60f18c1024ec1f0c7717056164a8e5d7cf1336bc0

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\AVGBrowserCrashHandler64.exe
Filesize
170KB

MD5
e2af0d9d0b2e31f81d0e6e1b78938334

SHA1
e6a0d14d5389552ce66fa78a10168332e80f1f31

SHA256
dcbd4e1dc1eae19330d2bf71b6898557abcbaa07f218e82c7635239afd38a74b

SHA512
1f01cbffa3f1e871256fa01aa66357c595566f2faea6a5794faf7e98cec821bb086b54ef1bcc28643e76dabff4b40c7f2c8ea372c7bcb3ffcdf9144b5164c812

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\1.8.1582.3\npAvgBrowserUpdate3.dll
Filesize
506KB

MD5
c46c52976d49246aa050c868d7ecb412

SHA1
2257221d881d874f18f7f7e3cc966b79420672c9

SHA256
872cdd1cd854d0973be3f6e5d3f361b9d85c7ce035a380e5f313dd7eb26b43b6

SHA512
24801e16dbc32fd389583c62ab4157b25318e645fe2b911bf8b859a72a3c38c103e86ef514a7a9ce3da6dc76f1c076253930657aecb955d56b94593d24a26cb6

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
Filesize
204KB

MD5
a2e0e8ff0bb8068d6e06db4b5da75806

SHA1
8ff63d9d3c7879f40070851e464241ab5ce82273

SHA256
9127425263da7557b33e7035258e661925c445c0443a825227b6e5a75093f964

SHA512
dccd0a4dca930ce8ad77487fdb7c92a70388c6eef4d6b662f8c766df57a250fe2096ede8122941ec62dfa51bed4cfa848bcf6e07dcd0fdd52920cf2c84095a32

Download Submit
C:\Program Files (x86)\AVG\Browser\Update\Download\{48F69C39-1356-4A7B-A899-70E3539D4982}\114.0.21608.200\AVGBrowserInstaller.exe
Filesize
102.0MB

MD5
b678d68317326a88932c01a76910b70a

SHA1
4732d51c44d143b22620facbcd8d3e398de5959c

SHA256
2fbdee14bde5a01e5a42134e8db617b6d589a9009eebae73945208b136da5f13

SHA512
94a36d98ee60a21594344a71047cf4ab950690bdbea7fd362e091781d57104a23b8a5757cd046dccf842fbed2172d30c359d49930266be7dbc7cd8d05c2aa6dc

Download Submit
C:\Program Files (x86)\GUMB246.tmp\@PaxHeader
Filesize
28B

MD5
10922eb267dbdcd3d62758c71fd315b7

SHA1
83438caba778fb4e6ef4f9053537d7c0b4d8fdf9

SHA256
47f1c3c59a24a8d14d87d08b7a0334c7970bf1a52c8283393436bce215d362be

SHA512
038beac0e419f75609712f75df7d17eb7e14c6142a44d41872d3145305fc9342f346ad5a23c7616f73bcc36aa828b0e39b2bac748b4c9a7756273ed640e76b02

Download Submit
C:\Program Files (x86)\GUMB246.tmp\@PaxHeader
Filesize
28B

MD5
10922eb267dbdcd3d62758c71fd315b7

SHA1
83438caba778fb4e6ef4f9053537d7c0b4d8fdf9

SHA256
47f1c3c59a24a8d14d87d08b7a0334c7970bf1a52c8283393436bce215d362be

SHA512
038beac0e419f75609712f75df7d17eb7e14c6142a44d41872d3145305fc9342f346ad5a23c7616f73bcc36aa828b0e39b2bac748b4c9a7756273ed640e76b02

Download Submit
C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdate.exe
Filesize
204KB

MD5
a2e0e8ff0bb8068d6e06db4b5da75806

SHA1
8ff63d9d3c7879f40070851e464241ab5ce82273

SHA256
9127425263da7557b33e7035258e661925c445c0443a825227b6e5a75093f964

SHA512
dccd0a4dca930ce8ad77487fdb7c92a70388c6eef4d6b662f8c766df57a250fe2096ede8122941ec62dfa51bed4cfa848bcf6e07dcd0fdd52920cf2c84095a32

Download Submit
C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdate.exe
Filesize
204KB

MD5
a2e0e8ff0bb8068d6e06db4b5da75806

SHA1
8ff63d9d3c7879f40070851e464241ab5ce82273

SHA256
9127425263da7557b33e7035258e661925c445c0443a825227b6e5a75093f964

SHA512
dccd0a4dca930ce8ad77487fdb7c92a70388c6eef4d6b662f8c766df57a250fe2096ede8122941ec62dfa51bed4cfa848bcf6e07dcd0fdd52920cf2c84095a32

Download Submit
C:\Program Files (x86)\GUMB246.tmp\AVGBrowserUpdateCore.exe
Filesize
512KB

MD5
0eaf12bb06501a62df52d3ff488d009e

SHA1
217b8e7b39d9698f134a2ee91efc6c07957b2503

SHA256
b9e37578debabb533b5ad30b31a20c1275f12eb5b1778386c2ee086b09512c37

SHA512
d418cc64bdc84217d98b1d7ae9f55d51873070372418cb88b1720e48f0fa744dc60b72c053cb8ce42be488b581eef60b93ed6d1d797520796f52f5c3b551acd9

Download Submit
C:\Program Files (x86)\GUMB246.tmp\goopdate.dll
Filesize
1.4MB

MD5
0fb0c73e4ea6f96f77b6767c8a144c33

SHA1
cfe4a43b70b5e7fe07caac28b508830d273cf1ab

SHA256
a13e6df98938d8c3cb245629a1c3abef1a76e2690f73819a846eb4a2dbcc973f

SHA512
0d9c48cf9a62b94b32a47db097cf3af7916ca15eabcf54b476eda8591b49e292a745919b3cbf90ff4ec9d126e0299371c858dab5e2894404fb71d9e23f4ee433

Download Submit
C:\Program Files (x86)\GUMB246.tmp\goopdate.dll
Filesize
1.4MB

MD5
0fb0c73e4ea6f96f77b6767c8a144c33

SHA1
cfe4a43b70b5e7fe07caac28b508830d273cf1ab

SHA256
a13e6df98938d8c3cb245629a1c3abef1a76e2690f73819a846eb4a2dbcc973f

SHA512
0d9c48cf9a62b94b32a47db097cf3af7916ca15eabcf54b476eda8591b49e292a745919b3cbf90ff4ec9d126e0299371c858dab5e2894404fb71d9e23f4ee433

Download Submit
C:\Program Files (x86)\GUMB246.tmp\goopdateres_en.dll
Filesize
42KB

MD5
2d104154df1390915432d09a15494d1d

SHA1
c71ddbf257e3cc823436e470b16faf95256b104d

SHA256
8c1986122b2e15919ef09364c4a17fa9e25f028a52167d9b50b08795d42fee4c

SHA512
92c64c0237337b8a0174d7760735c6e1b039b4b9fb96b892e3f13301de58ed8d2fbf53f65c8fdcbd4b089b6429c14d6b8aeae752c80712e3376cae1ede47cb31

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
71KB

MD5
a7ea920d69e87e4368dd96bee21043c5

SHA1
55b77edfb64343a30c07c922db77b2dac8e07e6e

SHA256
431b6243620ed9174057d26ba97c46b3e0313d7b4fc9633a68cfdd45c0d8fa8a

SHA512
8f0064ee744ebc1dbacb504be13ef8d90d4d96fd90dfe1fce83e49b677d4d3a1df818a14e7a9948d1bd775345b91284e79d6df6e6d5d47e2331ee4fb695e1120

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
Filesize
570KB

MD5
0b582093d4107b08f1e6127ea10988b3

SHA1
87fb5950f7ce4e0f303925c04ee5a30f197c8d0b

SHA256
377728fdb8a2e4da502d84498cad2a14e4c66bf3667229b2af0e08e353a1aac2

SHA512
a130a9da99c9d3fe6a15c12dccb02f3afc38f3810d49b7310325048091e33273182c2302b694074c24941c476cf3f6c618576103b2e30844108954350b1f78a5

Download Submit
C:\Program Files\ReasonLabs\DNS\Uninstall.exe
Filesize
1.4MB

MD5
20db84a8f983d17e9bc619589a7dc480

SHA1
7d02207dcb910ec8aa4a7fb5877e72d6ebac50fb

SHA256
272c327674affb23d66ffa671ce5893c60bd85ee49f2bba76a3233b50681adbf

SHA512
22240446968dff505be133feb93be2e76814dd4f144452c885e615435ed28b2a34c2218f773e3a152e1d32fe8e9690c8971d68f31a150bf1d4f3974090b028fb

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog
Filesize
248B

MD5
6002495610dcf0b794670f59c4aa44c6

SHA1
f521313456e9d7cf8302b8235f7ccb1c2266758f

SHA256
982a41364a7567fe149d4d720749927b2295f1f617df3eba4f52a15c7a4829ad

SHA512
dfc2e0184436ffe8fb80a6e0a27378a8085c3aa096bbf0402a39fb766775624b3f1041845cf772d3647e4e4cde34a45500891a05642e52bae4a397bd4f323d67

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog
Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\DNS\uninstall.ico
Filesize
109KB

MD5
beae67e827c1c0edaa3c93af485bfcc5

SHA1
ccbbfabb2018cd3fa43ad03927bfb96c47536df1

SHA256
d47b3ddddc6aadd7d31c63f41c7a91c91e66cbeae4c02dac60a8e991112d70c5

SHA512
29b8d46c6f0c8ddb20cb90e0d7bd2f1a9d9970db9d9594f32b9997de708b0b1ae749ce043e73c77315e8801fd9ea239596e6b891ef4555535bac3fe00df04b92

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
323KB

MD5
4a674a9a3e6df14f70d951158924589e

SHA1
aadfb1cd2fbd62fd5fa12a8e3dbfa6ad5433423f

SHA256
33ee4594a498c35534d8b678d3679f0efe6b777fb1d476448daca4ba9c9887a2

SHA512
098b26165fea0841f29cdb5533cd7a36d4f6f2a5e63f57aebc9c1a7f5703a865d0f1a1f87709e726b0cf3dc37953b0ed204db73d6881318941055e8624dab889

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
44f00c71cf8c8cce28bf0b2385c1e8d8

SHA1
50ce7c51e5344ccc3a4595f238edbc29bc68ed81

SHA256
10226d905ab05e187b96c3042642ef1d0271ce5bbfa74b9089875fd18c2aab7c

SHA512
a9ff6c61630cbbc4a43d59519ca8d4bb9993cf6356b60b1c29456c3b618d1afad37a3f64596977036fad76f7e7d87de48f18a09e31bb9ecacb175e9762281215

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
324KB

MD5
becd8e66c02ea19940abf9015e2088db

SHA1
e0e9b86a6a70d1b308e8f4b354bfa536e3bb637d

SHA256
0442afcd2b49b90aee2df568294630e688c1fdd17921dd97072caa344c903713

SHA512
62045e6044140d856cb114fc4316cbd2a10de69953df65a5aee43e8fdd92883f3102b15b4e824ed6e03eacb29d3a0439ff40a1776ef5836f93e6a1e04bbacebc

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
4b76e89453807a6dafc1b9f8ae3ded3c

SHA1
de363faf90c7c96af47c5c2887cee4cb8bd041ce

SHA256
c58271daaaeb8eb73c37f585532be29a8588dd1f570db7fd119d8093157b6e7d

SHA512
05a857af1a46d411f837cea194e15489b2f2950c30fc34432a1f7f400950a733bf7d04625d065d74fd3f91e7f1a89d8a854ac0221e6cca8a78f1e047425d6604

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog
Filesize
660B

MD5
705ace5df076489bde34bd8f44c09901

SHA1
b867f35786f09405c324b6bf692e479ffecdfa9c

SHA256
f05a09811f6377d1341e9b41c63aa7b84a5c246055c43b0be09723bf29480950

SHA512
1f490f09b7d21075e8cdf2fe16f232a98428bef5c487badf4891647053ffef02987517cd41dddbdc998bef9f2b0ddd33a3f3d2850b7b99ae7a4b3c115b0eeff7

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
239B

MD5
1264314190d1e81276dde796c5a3537c

SHA1
ab1c69efd9358b161ec31d7701d26c39ee708d57

SHA256
8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5

SHA512
a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
3767f58edde1de4fbd627d8247143ec5

SHA1
98c60d089928dc9576c311cc7fd0ca3e68f52770

SHA256
f604e5072b4508fb534912703f7570745815a7c41132a8d1c05849c254d68606

SHA512
6a04219f0beb8e5d4854c94c1458c86dd701a14889ae38c25e2e9c7e1ebf8154c4aae3356bb3418269c2b75a5da72fc8aca6355869e9f7b7539236a532f6f65f

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll
Filesize
297KB

MD5
11ee0e7a3291e294c04c9c32fe31b964

SHA1
23205f51352e061cd9e62396a2b5b422902db2a7

SHA256
83dc42d2dcc6e22718b36bd247e0631137f387bfc127f3c346740fb87494eec8

SHA512
f655f5e97c42cd67aeb4387554e6dc0bd3a72ceae5f05faba13d6b6db2561bf2854e0eff86c7a29201776e863bb9c3ccdd1d9f66923060fa057e802233509c05

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll
Filesize
322KB

MD5
49b8602774497ca41549407c744f3c00

SHA1
7ebe35bd0bc816896ebf19065e80a846c8e5f0be

SHA256
8d6552f953688b749230fc99614982226fab31c42c9cfb645977dca9a6cd1dfd

SHA512
74702c8129a68ab056f760def049d3896777d07e9afe6069499ddda715ab9852088f081a0e48353dfffb27d6de5b147599a3c15dd90a16f8a83cbb1e72994266

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config
Filesize
3KB

MD5
391b0541eccade16f2f287edf6409111

SHA1
023027e68e13546143892f284c7dab8e9a39907b

SHA256
2488b61d7576bf9a3c0712fe47b681986cedd5bc1559ae6e4745dd756e5819ad

SHA512
0a07472d1843738dd88a19e1f240d5643f87ef05109286f939271ad403a495807474c1b00051e182636078591241b3170f6e0c983a8ba2feb1f14d9dc4f8182a

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog
Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog
Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallState
Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\VPN\ui\VPN.exe
Filesize
431KB

MD5
51768a1f40dbfe178dd62d8dfb1d0f7a

SHA1
69310d02290355d1fa9ee6de1dafc68f369651a8

SHA256
04d33a622e7d36972eb143b312138d434978f78acb6b5bbe9d631b2abe697f77

SHA512
18b2778dfbcec9f9451780ec8bf12487b5bd5ee8e73e2702ff26213dd3746c8aa9ad2dfbcfe8558ae66c4e7a3ccdcb97b604cf3507ea9ee5a4064e0516c3595c

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
2KB

MD5
b8d5d3114142e151096c8d9750d436fa

SHA1
e08b8639b5a0e0beac3a3e958bb1a83e4cb64957

SHA256
1fc60e0675d121b68ad9fb6cc6bc146c439b4ee107c75bde5842e765c716c724

SHA512
21b17bd69e32bfac5692521f4446839c40709ade55e2803c87fb02dd911419322b1b6e63dfa1876e498e98ead17eea459502deb19a4078c52640e73eaeed0e76

Download Submit
C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log
Filesize
5KB

MD5
48184f4429d2cdb6a1203a530afb452c

SHA1
c7710040a158fa8019668c8375ba2c391e4c60e2

SHA256
6037a6beecaf6050deb603b706a5a5c4b9993e1f71d59291270ade8111600103

SHA512
b0540dbbeca4610e675f801caf365eb807ffd6db56f703467a1e6b59444a97679295058fc5711309833d192b43e8d51275d064ca0ff93f2c8e74b729ebd1b4bf

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
b5b41c9d9867bbeb4ba06452cedb2e77

SHA1
1fb284f510a3488bfcbda7ee61cf5521984ac4f7

SHA256
1c5e87d5602be685948fa85fab92a7375a2aee32c9e9d59a8ecaaf1f210470b2

SHA512
189393ab73805c3bead74a248ba6ee00c333813cd02598400da963d250c21f1945ff0930d1e06b7186fdefaeff19e1063bfd54b7ac037750491374089b433fc7

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
68049e5bcb523208a23f8af1ad648036

SHA1
97b08789b7cf8b1974cda983c72d7dc6b0f75ba3

SHA256
a35f36382360660f436f9665c4541faac8ee09ffffb8cc6a69d1877eb1b4b778

SHA512
e00dd5647a3dc67df83985a57e43832d5ea1c0fe8697266946c0bded5fa00dbe8022c0016befb9cfb40955813090968422f2bc0319654e791089278340eb2dc8

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
8fb50ef6c617d4466869cd97ed919bd0

SHA1
204427466fc68bb10428412494e59be179a6ad90

SHA256
f2517fe8e8bee698b6570a8657d08734b660256666e6b565c01f8a038c551f62

SHA512
0064964becc48de03aedd3f90d79e2fefef33d55b9ce7b3eda5c831d081bc5448a2c54970a1674a31bd6c422904a9ad6ff739031232547028c93c4b92cd0058c

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
176362ea71543f5ee44f36b56c8d6da7

SHA1
3bbf401564628f6612f54044bc30ad6821aa3955

SHA256
c5eef7d9ad7147a63af583d666e57760e11671122dbc5dd7bb67459437bab742

SHA512
816935937975c7165ea1c853bc91865f05c822e929a7728783b91d76333757910ef060f9a9913ad9841acad47ed5a0ae5227782b13bad5168cfd336b0251db93

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
c49885f3439f2f91508a3f58eab52fe2

SHA1
df0bc84ba0a72e73861cc654e513b96d8a825423

SHA256
3b84584974519db698766a99fcddc5238d1d9b280ec1845c4e41f1709d8447ce

SHA512
09d54656c887238ed063bc489e7d9b310b2b72867dbd69066c351363319e85e0bca50109cb49f8bcaf4b1659ea54cb0864d2d837b12dc113b752f0676fa52039

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
672B

MD5
db53118e849db031ca5f276d8fa5f3a2

SHA1
288f8fee0cc6dcc237e5672a235ebd8d98e52b57

SHA256
088c39a5230de3e0fa9b0bfcc96d196e80f38aa5ec373408eb1f38331516cdc3

SHA512
6dbca564998d2449127b58db6e36fda0929d3b259b6635df7823857925909c6f4da77f06b3c6875c2b5a2a3750ca47457c94b74d2f2013aa78e0b7497313dc45

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
71ee7a66726fe8193aa54988961ba6dd

SHA1
c7f1e5d51e0d90b79b7b12d8b5b4727397d2cd0d

SHA256
29961bcffec8482e34c947964137aa56c83aa5d04baf6dba4fe2ec0043081830

SHA512
3dd6725aecdc7bcd01336766e3fdd2851093454c11a3d6979918a9f7e717c09f087693dbaadbdb573fddc680c321d1c2df042c99849dbdea4076863c6606542d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
c7efc531187a94993e6c8b7e97f229b5

SHA1
5e986c4d6c64d38dabd7cbaf909ef5f0b77f9bee

SHA256
5ad67ee4a8788928dc2dcafec3e31b8b5cb65079dfea58a8f31d206d62963eb9

SHA512
26d4d6443c5f0c6a9a6fff018f3bf121e65e5350b05a424ba9a661c5e1d4509f0567471361b989d46c5cc56acd87976db2d9a0dae2cab57f65559eca14c91082

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
4d1aaec2d15d94efca11516e5b1bf6ea

SHA1
8c14831f4481af76ad28d90fe54ab412c4d80f1d

SHA256
6ec41d929a0af530a3aa4f73c6326819e7253e3730476ae7236094f8626f8b17

SHA512
bee3cb0622f399330a55e52e71975f16e61b340e11b2bfb16d00cd047bfcdddb2577c4fcef30ecb0d72acad96b0a226aa2807943ad7443d2859f7e2d35665698

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
6e3c6c7bee05abff4077ec6396377db9

SHA1
64fcc00bb05716d6ecdfde4b13f589f0481002fc

SHA256
69085ab335e4ae5244ab702b5d10ae0929aafa9284b795922297aedb47c87427

SHA512
a7915d42170ecaf47e9189fb113764a915fff1ab9cb3b66fe4b8d76b3a31ee6dc7999f94a850fc0bb163e881dd5f9da7b15605f05fb86364d1b865c02598bc3a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
31924320aad5202a1e141ece7687d868

SHA1
235324c4a4e1ce44cd492f6ddb63d8422edb37ef

SHA256
c9b4df9c1916ca59594fb728e6719cfa8c2ab0c4a153e45a47bcaa9d19971d48

SHA512
6afd1f2406a4e6f15966e03e87c4bf1cba7043ad2d90e28f7768636e0a93b2de2cb30a2eab1f612d29d9e92cc13f5389ee31ae87613d98c25d5a8c8eeb752faa

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
ac2d1925bff170e7e85d36931eb69b11

SHA1
d8a8696148b7207314c440c371889405a4c01c75

SHA256
47e4edb5262c827c1239957e7c9c143ab1b884caa49f5de7ad4e363f4f5275c7

SHA512
05ea5e7dc2e147049924cf535952e28f62991662227b55b84d5962d6f54ee98519bd695cc3f6d8f021193540263b9b5c1f246c3b58d0f2e0979d08d90a3a7a3b

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
ee873a3cf04b772035217bc9102596d6

SHA1
fb1e6e8d01768a9b9e092b8a566e07e9e6927d5a

SHA256
e811291d5b64278ef1d6fe35925eae7b28bc55901183a8e2904154d77af24c73

SHA512
46e5e630289a2f49d6b36e64b8caa56d799d82d5d0fde1f0c580cf66100b73de03412c09828e1b4b631e4b399164f105e7afdeabede72dd84f0241831f66457a

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00200057003F001D0006.txt
Filesize
302B

MD5
131eda4af810da4b33c0035192296ea0

SHA1
55c37f1cb139ccbe65a314b84b9f36ca3f93941b

SHA256
e50f7a4e6b66217b71852a99cb84692426c4448b7340ad9247a3b7538ca5fb43

SHA512
2d038f75dd6b9776cfa2652cb64e087d0502e75bda0d8a52895def38887439f52ceff3a4fdb38cd02936a7246b5fbfc13a6c5830902e347a90bc3fc976b72404

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
Filesize
27.6MB

MD5
34b0cc5bd6e8121e1c00066d322c4a19

SHA1
4364a7e6de0f5b2da6f3dcb7ed6aab233c663911

SHA256
9b945202491208ee773718e857130399f756a9285448862858685abaad09851c

SHA512
c3d52c0d51784a8b235c95e9e4cada7d7fc9c080f2896a378221dcdb0fa65ee217ec44da90d6c94139aaa19201e51ac66ebbeee7c0ebbc74f9f098525dea687f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe
Filesize
1.1MB

MD5
bb7cf61c4e671ff05649bda83b85fa3d

SHA1
db3fdeaf7132448d2a31a5899832a20973677f19

SHA256
9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534

SHA512
63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp
Filesize
5.0MB

MD5
8c162ee2a744cf93ef4523eabd6d9bf0

SHA1
7ee498ce359fd196baa93fd53763d0e256d5d693

SHA256
77005f55ef89d008b6c26a9f068ab6a23510cd2175ef81cf8ba5f8731adcb693

SHA512
a16adb92c6e481b3e3fb3a2db4dabcaab8bdddd4a0b9e82308fd2ce965288f6209b8909c38106a30f41cb740ad129b086be4690d803232ab47ee989bffdc9e02

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp
Filesize
2.9MB

MD5
d85160b022b5f32166985112f3aa86fb

SHA1
0663c0052754716d0bb18f57c20f9c8b027937ce

SHA256
482b66ef4e238698be1813c198bd52aee40e2ff3cba200df6da8fcaa03cbd17d

SHA512
cc2d6047013225a20fc4abcacfda5a435296c51e89e0e453845bbf9f640e8e896e8c39c4a804778d58835ff9a6b5722e8b4d346307fdb8e338f987284f54e98e

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp
Filesize
528KB

MD5
e5407818355c5d7c5c7064d6a5f87448

SHA1
abf05955da1362899ebeb104769ce343b37e5388

SHA256
ca44c92a268c2568ce3f96d475d1a91faa10d8a0cd635df7ff8454ec250ad606

SHA512
d179d1c9e104a3f24dfeb3aaf8add2e512108b36e6ce2ca73b0ee8715bebc0c2572a4170250719af25774cbf4e3d9146225e3eb016dc95d7fe7b277beeadf82a

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2a51b7667f2bb6a02005be109314380d

SHA1
54d3416d118bcbaf210caea81c199fc79c0f8809

SHA256
e262926da5c86414b358bead60aae1db43922dcc39fca8d0ff9eb178be7e833c

SHA512
67c3ffcd2416a0e30cc34f662562666228de4c88517a87137724e33f00d9c1b14ec660ed75b9cfc3d5984e471eb8a33f4e2bd3f6b607b770452839121dded243

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\5a0b58ed-b81c-4750-a934-cc15cfffdd3e.tmp
Filesize
169KB

MD5
af4279bfe0838ee460bda756579f1b65

SHA1
5801c6f2a9b1f41dec47d9cc88335a47cac1bea0

SHA256
34ac120fba1e4ba7c8de65264e9446e84b37053c01a280809950a0c47486330b

SHA512
67f3104b87371a58e7e72a42754c43dac33f12cf2afa1272d0bc0a7499d0d8d38f49d3b8303d6ce2a2b607c7755cd238d1ca38a66923fd8b3d8c6c541f8ce4d7

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Cache\Cache_Data\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
9dc6a66323ef27019003a56cc4bd3c6a

SHA1
5e583929fe2f0c021a52f6367baabf92a201173e

SHA256
5cd592d7eb68f6d79f97baaf859174a7c0d5cf902bba8d16b736638c01af10ae

SHA512
4f73b2ed4820a96ad7428cec550c7938a31d513647c7050050403131a617dd2f8c7ad09cafa2baf9cbd812a4c072ea5e60a96ce73edb99cb906d73521458eeea

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
923aa6c870226de168f6f6f15d15c38f

SHA1
2d28f880d614bfa5a76c3f1736d961693415a7b5

SHA256
2fd8766e2b5cac2767c9544bf2ad514f78c4b95e6700d0fa829f825873ed3dda

SHA512
b26a61d011810fdfdfd093207c67ee0a2b9c3c40ed06f048fa7b2a6b3aece25536f1905720a2e98725fa4749de13c63c22abd2a6b5eea98123e6e20d1c289162

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
2a5bd8560e1cc70d72ad982ebce1d0bb

SHA1
bc0610b5575d859f1e8c46d8ee3a85adaaa9818a

SHA256
c3a75792ee1854b5c41e2845ba9d9753bdb59d26576b3df5edd1b28aa9021600

SHA512
9c56da3d19c59bc5d5f1fd505dd04f4fa8f72d69b256c4d6944808b06bd2e06ab7049051932217bc5963b03f0e27ce8ad4df3c0bdf07f8e53c141f73b2115e9a

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\Temp\scoped_dir6304_1234735891\CRX_INSTALL\js\options.bundle.js.LICENSE.txt
Filesize
1KB

MD5
248e8de01e2bbb4e192fd513a6f8c548

SHA1
36a74ab7d7491090895ce2183154d268e5ce4937

SHA256
027f922a17d3a0dbdc7767b0ca494cb3c1865d5446a1969fa2c06cbb3bfa87a5

SHA512
cb78d6295aaa9c49771d6586aa5461d214443a63930c600740ddb0c8017be09ab8733f3651f2aaec627a9b99002b8f05b9166f8e74c432a1f344e0d7fdcca6da

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\_locales\en\messages.json
Filesize
118B

MD5
c01bda904507ad435bc35744985c4ef7

SHA1
2c298313661fef987782c54829d0f16dd8b129f2

SHA256
661505cb11e4b456a6eff122a081aa95e742b405de833106761a90193b2789ba

SHA512
52870e5b03ab7db71a9588e775b379bacfa34a4d6afa856d4b09902ceb86b8f92b5b610c4e6db164a13a8fa92241030bc110fc6688a612185902af6e24d1aa83

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\_metadata\verified_contents.json
Filesize
3KB

MD5
c7b3a1f1846e49de6851bc601264c87e

SHA1
9e251204f3e0bc8efc3d8e5fe3b039dd655ef174

SHA256
faf96c91765b65c8ec76c125c14fa30bf3b4eff42ec65dcf29663139aef168d8

SHA512
df4b2982cde1f34b38abcc843cceac903aeeb1624dd8a9696e5bbe69fbf5950416c85d65886b9c3b9b6ba16813b0ba026e61a8991ea08892fbc536124478c502

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\img\icons\icon128.png
Filesize
2KB

MD5
8d2e9f24ccdc58f1e14c1dd7ccc87274

SHA1
0dd95be46b5ab54cc437a4193d52774554cda857

SHA256
b9d1842ea885c7431161806f39889967e9db9a7f6979c2ecd4da46ac344e6649

SHA512
ec26920e66ba87e62b2e5898a42c1376f4952063a3f0c2932d0c26d9f8a32300ddb5ba7cce26827636b8d6c7e04e901dce9d0c193fd796de744919ad82b0ca12

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\img\logos\avira\icon.png
Filesize
3KB

MD5
75e461d8925e8468b3994dc838bfb68d

SHA1
40a05fdacfcc9f153cd3df62a95c75fe148fc0fe

SHA256
fef31cd788c1845647cb739db304cb65fa21129a93500f51d8865ce52f75a0d3

SHA512
880c83b8414bd441d20d61360b7018b4f6fcb68c2affd8b1e32b1d9317e86dda8f9eba925df31b552011d5158eee2f30970756b26b2e77f3cb91ae35c8c37cc0

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\img\logos\avira\icon.svg
Filesize
6KB

MD5
2ee58c8732aea4203ecb92e16e5ac68c

SHA1
f8cff9d53e57833e10ad2cb2489fb75a57ea7003

SHA256
cbd20bdea1a73d4cc506fbafb729d201d01fa08f1884f4495289672f34f398c8

SHA512
f6deeb2e330be99e4d5ac63625f7b7f2a052ef2f778c99657714245e9b2ad912dae5029e8dfcd5affc13bc4c892d4ea508db471f009d6c550030c477ee98d87d

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\manifest.json
Filesize
1KB

MD5
7b8640404d0ebccfda82e700b0de356a

SHA1
98acc8cd31ddf6218211f3d7f5ee2bd5d8b57140

SHA256
d8dc7982cfc4ea617ed326181b0eb60ae82778b12d4f2ac546fd394badf1e30d

SHA512
1ff978c0605820f93d4e7e9f089599a169ba18868f447a57114902955f8369db377bd4e67cac7a2d96ed7bba8e8a798f4c997a152a5a47ac81feeb5758424865

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\gjcfnponmdkenfdibginkmlmediekpnm\1.17.0.543_0\webstore.js
Filesize
428B

MD5
ff713828113f6377533d41a36bff5ebd

SHA1
7157c2333be0a6df2db2dc0c25d36738acc823f4

SHA256
60657bad3b62a195d588178203e25df302ecdb8b51fcc49cc4f628aed8998dfb

SHA512
b55bd6b59b57003785db6a8f7e0f46b2ff4db619b4ea143c09f1e456ff1c5efffa46226984849cd8da98f48c06a79a4d00edccba3b7e1d4423e448f1be001113

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Extensions\jdknegmhnomgeklcgogfmhhfaodejiak\2.6.234_0\_locales\en\messages.json
Filesize
1KB

MD5
70c7984777731215a65a737b98c49dfe

SHA1
60da2b4e5a80334aff5cab61d67fa0facc62f2f8

SHA256
fbc68d0c4ed3346ae2a84580168d43b8ce12bc97564e04131ce47a0c3328f1b3

SHA512
2609a01feb2f4aac8edb180d854dbb5c93e9b053791d2bfe9c1bc3d7baacb8fcc75c0953d7e150b2203ee1a2f4e65fffdd281bcbfc2fa29326576d7b887052b6

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Local Storage\leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
904870ee028da1ae510a6775f238ada5

SHA1
17722133fff869409539d7880bf1b7313393e3a4

SHA256
96de10f8fcd998b9b5510eb191eef138e1d285520db0330663cdeee4d93a621f

SHA512
5e9056597ff3bd9f840730bb19e1936534b85eb2793b8ad208da378e2e1efed92deedc457ba9cf23eb83cc1eb5e3838916553b9a9d5edbcf5ef39178f8474596

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
a617a4926e7acbc4a4976cc9bb2c8cf4

SHA1
aa85b0282940eb67ae83894a015eeb1110b79c2d

SHA256
cec4243b7424cc6319cf9d386691320ed880cfbed36833713e872712eead663c

SHA512
8004eafd33e2325754d96291f0fd6389aaf194d29233b6be13553d5f869662a54b1eb6ea39a1f51c0f334e39e2ec62d4a5b785e2f35517e7b892a3da82950a33

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9a9f53b75682651aa4c77501ddcbaa87

SHA1
883404aa5c3964254df9e233171198a6062e2809

SHA256
bb2655d239e7fedd207084af41b69d36edfa8a5041fc4b40f1345f3a64057b79

SHA512
f01ee46647430a747d8c4273257ecb2c888d6bf564707a84af8e508a039f45db20e87cbcc7878f175c086fc5ab6fc69a319aeea9864e514767733be49378d204

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Network\TransportSecurity
Filesize
688B

MD5
0eef29188f961f5860faf70c496e872e

SHA1
2cab0e4b4e4ec9b4b2123d368076781fd30a5d74

SHA256
40748a0484112d02ade1eb34024681c505f06adec9a1fb90f47d70f6a04ba42e

SHA512
8d6d9cafff58a65f8ce601ed32e910c6d8a8b93e7e4fe50d8401735c607d9b27a0330fc7f61e282ba34e15a2b83cd23490b9b6ff5eb108362c864c81b71d0fed

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
17KB

MD5
4503807cd8767278ee77bdb9d9946c9f

SHA1
ea2f206b7a4c49821e34b9031c446b87e09174bb

SHA256
d02563ca083ec4dadce036270366ab8a4a18d7071d1b7b7d0c550ae41675b767

SHA512
b1ac2aa39d3051f211f8634cfebca2734353fd056626cc648fc96376d7d8120a3c7400e2cf83c79acf86209775e7df97a17b9aa76a19c73f66a09cd14f780751

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
15KB

MD5
82609f4e861f67cceba2a8a1076a84cf

SHA1
244c60083bc21f6c39b25269ccfb5b766e3f3896

SHA256
db5d1019c566785a2a6224397501a0b89a8445f560151ed323004474b22d9fae

SHA512
0d9b161728b227c0d478149a9b23fdcb671bf0ca1d2eb1caef9ba3eda9652b00996c5d57f262c1af8d46b0ebc8f70326968a6b41d0e233dee9dd43db3c495283

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
17KB

MD5
9d50c817140ed67bc725ea00994b6f8b

SHA1
aac66b6648d9c65685999f6fddacedb6312a4b36

SHA256
4d11817cb82b5e27e79762f9904ca902c29aa1b6dd7a0a3e318ed0ccea211844

SHA512
3a9675cee5e41ae42b0e29a486e795f0b9b931b01ee698fe72d3f08756be2e62b7c8c947999afa087c1bd0327cc17e63bd5913b92663f4ef9d390e9417cb0da4

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
17KB

MD5
dacd61931d35094b5c1668ff3504f36e

SHA1
d4eadb1465b1fc3c7468ebca6cc0b438af0d4168

SHA256
4c67a0fffcb5e4965f1d43e1c69961eba3dcf8f9094c7d1cfc36c3bf1f42e81d

SHA512
73e8725dd5924b4dd3b2acc33316b1175c7cf045a5f8a3ea97ac350aedecaf316f4b51e7ac82070356fc0819f086a14b7ee6e58fee6540c39447678dd33f3db8

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
16KB

MD5
6554a4d38a3db44db897d38bc3b0c868

SHA1
2f517dc6aaf299df571d125d453b27180d8172d7

SHA256
99bdba0c6e417dc90de94864fa87123db69a1d766e734cfaeed0a882bafc2620

SHA512
3ee57e2147803896d17601bbde85a865d1378893276a929379a58ce51c251257f43f4e59e3beee21dcaa95f6150dbc3e99ae56444c73594170c63ec925eb8f3f

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
17KB

MD5
be7c121d8014c6fffb3098d6d32627be

SHA1
5a0c3b05918c0062f76827c529f3aebfd03a083a

SHA256
5fc63955b4fc3701860fefd89783f4ae1c790ea4e8b7d8812b62f36aa25885ad

SHA512
cf615f6d7c569d67a06ca0080bc0df3c6bfda404431b033c53fef2481742047bc9e9c1eed9c6c973224f638c34882835baf13a1055448791491f6cac9102a706

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
15KB

MD5
0b19fc3790a6d736a6b751a3eb7f1472

SHA1
6a2a85c75084cc5acd31ac15f1e894d2f6e7e539

SHA256
e99d9d19690ede99581cfb77dd8b832974fd21294188690e4cfc5b2c59573c0f

SHA512
181aaa3c4f8b8e518439194b18803878b2b819b0c37a4b94dc9435055a187e283f11fc9d34f114ac3388eb97f301fa3b123f309c07d6f1cae448256a8e5c5025

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences
Filesize
15KB

MD5
c8ed2eae01b929e1f56a5f61cc26b7fd

SHA1
acbe3d0d681357b0de88be0437bf8550f11a475c

SHA256
bff3ae456fd17c8ad0acc451e6b14b5b1372577dc7e9180d8ecbff3a14e7e9ab

SHA512
ecc2a0b3abf47442b3cacff65206c0071f547439cb9ee97251dfcd066ee0985dd838223b63b966d0647f868c8b62bae60ffa2fb0978962f06bbe5e52b0119688

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Preferences~RFe605141.TMP
Filesize
4KB

MD5
27a655af6b0fa614c73fbcfb9e3c4c81

SHA1
60708ef9eb07cf7ce913dbf8fa51c1eafaaec325

SHA256
7023a888c478e79ef4b50f4ae3e34f3df8dfcab5a0a67c52e5d95703b6592352

SHA512
a663dd5eb40014b3c89faf2ff3c9efe4235311dd0b93d99ac9e19de67e13fc9782a0ecc59be279f94ccd1125168276fa9ec90173fa1ea640ea3fb006533e6d5a

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Secure Preferences
Filesize
20KB

MD5
e376da02328ab4aa53eaba44effa45bf

SHA1
88e8df165bc051e994b592bbdc54f4798bfc74e9

SHA256
41ce38763b903c1f54f8addd1a65a4425d8c0cd0a12aa7c740c1bc952bf0f9e6

SHA512
14cc3ac89ded2f24312a8d2acde3108614a9c296e602e3937694275cbe5c2d3b700af5f17a10a73e9305f8dac52ef7e0a76a44568dfc0fc77db3b89478e88196

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Secure Preferences
Filesize
18KB

MD5
e593f6fb56aeee12f33ecb3b0668b05b

SHA1
b5baf342298bef3c2150b77d9d4d841d8b5618e8

SHA256
31c3dc0c3bf9f73786c7b7bc09d7b26e1f578c4e64258da1a3eb0d8f6ef7e3a0

SHA512
4b242e4aa5de09e05962f541dfa1409e9c3cb086aff80fb0cb435f4e5409d6ef67dd2bf32c9b3f4ea379a034fbb8b73e33c27e1fa02f90076fcf43a2d4d078b7

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Secure Preferences
Filesize
21KB

MD5
492d4066a9708e2315f66335c55b98a8

SHA1
2a2e7eba7eb5762782f50366060f084106ebbf9a

SHA256
7832a75860d497365e9a25d07fa08a9d2fc823933890d70467c04e92e7509622

SHA512
b4a8e0125d511d3859e7ace9c24c6992630945ffa5802fa34503739dae4a4c684fb3f6ffd4717a61d56c1b9a2d96b2b6df6b2fe86819090f12aa9669f10d0492

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Secure Preferences
Filesize
21KB

MD5
9d0b4140cbf3023eb0023a2d00a5bc2b

SHA1
08861deac173f745a7f4633947dea252e5901208

SHA256
d12429381a7ae49c5821e210e9e0eb19db928caf150a0d5ad3131c0f56f8cca0

SHA512
d599563ed3fd8e0531ef45a03886b6551bc0d3a08e071c55fd8469e1e1af95cef98a8b9617c2968157fa83b2f80b0ee591f345ab3fbe68eb9d22fcf7c506e1fe

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
120B

MD5
67a5806438f9c5fedc5ae4f735f38ad4

SHA1
bd63d651158aef8f7aecfa49d0e5cd5f392e5f1a

SHA256
62dcc2978e69b6071ed2af61172bede9a1088c74652b02be9d119a9a73b4c5b5

SHA512
b2f5ed6a5ddfa9e03c1e6c2adf854ce7ff55d9cb30f66d7d4b38a46459b60745c80578fc01cd71eb3a09b26f791c74b113ac910d5e5563b873193508eb94405d

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
da940bd04a757702df1162a4de532fb8

SHA1
b5c7ba24020def29dfce9cf88e167852a4b29fa1

SHA256
623a32d29cd01eefb4f992b24fdb895b050646f912a1ab6b8527d33ed951bee9

SHA512
c5c56999dc28b4f250ed0a00357346523957532a104c4ccc483a68de043864da84f2dc8c64bc8efe26723a0a2fcfb99f2a4454393848bb1b93c7bf69203b3761

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
f610f02388ef4812745a087dbcf3286d

SHA1
a628ffeb087b36e6bc5c25794635b748c2b13b07

SHA256
dd603fbc2d8e591e629c53cc0c283b61135f0b46aadc9bea50a59c757a24831a

SHA512
0ffba7c89741a89c74c12a6ba104fd1c92ce2b00da0ee81b6edd5c07fbc0a081d670a220bf55f198032a39840bdddcfe1758b35dc11284659762121c0685c7f8

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Default\f84f0161-6464-46e1-9ae7-fb5d3c54f9cb.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\GrShaderCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
5KB

MD5
610a6dae9f0d57df3762792aa7f8bc93

SHA1
1ce32d314c76e22c0acb9d3e9ddbccb8e9286c54

SHA256
40357ac002d5025c78530056b5993b63318c3e706d5e9ebeb21999e17f1f62e7

SHA512
ad189ae4f75de88509f53ac2e6a173d81731e619b1eee75aec694e749cc5b3debe03630b5df234aa18f379cada2423fd007d2226bee936886b5669520820143f

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
3KB

MD5
b9330dd6e8ac23f6ec33b4a8758ac9fb

SHA1
228c5c0756a84abd2f996148577b5de16a628988

SHA256
e7570c8e88cb1cc37c73404e3ddd035cfa6fc3b5f3965357d9575dc2992e5abb

SHA512
84d846cd33b0f925bf545cac9e9dc93bad3ac3e32eb0679edd149a4cac07e693ffe16cc6ebd1a83f06ddcddf77b1b5ffaf795e49e4fa41075927f6267ab9bb9f

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
21KB

MD5
591c6933be07a0227d1eff015d4551fa

SHA1
b0b0f4f6cfc271f54fb0e6370f5f784d62af389c

SHA256
2cbe742496be6ae72129aada79f03f623e7fe59cd66842db974351fef9f480f9

SHA512
4ef83cd9f1c033e2f826802ba89798934aabb415a563e3349628236ee0ef59599cc2fe4a1a7b983b02041285e348a520f217e908e2e2b9c896c61186e98eaff1

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
3KB

MD5
8dea4aa0b614dce083defe4ddfc849c5

SHA1
c5c80efbab515d41641ef13dc33f4d3a2f7a6681

SHA256
d65862cca6a5bfead80c3b825e27ae01b33a6ed58bd6b45924a087e955b43ede

SHA512
f77ca7ebe1bdc9004b0397dfba61c2bb5198a574602cb36e7dec1ceb094487978b5a8524b8ddfb07c02b4f2ea1833a6d1050e1f38d8837190e23e06d0dbb6c49

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
6KB

MD5
6e2f27bcd131a5916dda3aa1c9e31cfb

SHA1
395706886b20fda8e693dbfe179d4edacaa673ae

SHA256
c0dda35c10f66ad67a454fe5eb6828608a6cb69d24e501ff8d49b3c516e739dd

SHA512
88b77e861a07bcf319ef38bcc9fae95e8af445ef52a2646bca01cb3bb02060fb10522e3bbd7eacacebd3e0d9a559b48b26f97bee95169adf61568d2c537f0a16

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State
Filesize
25KB

MD5
8bc437f0fd2aa8aeab55876a8b030897

SHA1
824f97dc736dc525aed91dfab161e0a0fa85990d

SHA256
beb34a4a3f5efccc210ad176472594846fde3b79c215de032525009ac3d07b92

SHA512
511b4c3098ea4c5915a835acad09956aab2d85c8118660681f27b78d6debc7adf52eaaa4830cef6ace786754f2655ffef725bd3e66cfd3505b8dda663b54b624

Download Submit
C:\Users\Admin\AppData\Local\AVG\Browser\User Data\Local State~RFe605112.TMP
Filesize
1KB

MD5
05ef06f3fe4aac66725aa2aa7f9b6090

SHA1
d08a91ca7c707d02ba883acd5aba98f2cce3e9ed

SHA256
cb733c650936e6741287d1c86f5a9eb2fc89b5602df79b9e0f0103d5e779c36f

SHA512
af1dd96a01211ab9642a095746b6692aebf01479a1bee8b0712149d7f026c3d344f0a46aead0e18e00927c38f911cf435fff5514d91cbb19926d9b64e9132b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8411007bafe7b1182af1ad3a1809b4f8

SHA1
4a78ee0762aadd53accae8bb211b8b18dc602070

SHA256
1f274d0d144942d00e43fb94f9c27fc91c68dce50cd374ac6be4472b08215ca3

SHA512
909e2e33b7614cb8bbd14e0dfff1b7f98f4abbf735f88292546ce3bfa665e4cb5ee4418561004e56afc5dd30d21483b05f6358dad5624c0dc3ab1ba9a3be18eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
173KB

MD5
d3d1aff7a71e5f6f4537a0b3cbbd5c23

SHA1
82bbaa35980290986094ec5b2f33da17fe0e1ca8

SHA256
d3ac13e9bebf6119830ea38adf6715f42a193e7cc5834087abcd77bec3c07291

SHA512
9f5a8f657438a49e2b60db1372ced7edca4ca714efc63ff8791ff232d4252178b5a148a02b049f279007f095e7ac5b649367a2fb3dbffa14b39b637f1d30d42b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
Filesize
33KB

MD5
b8b861b86bd54d659fb1473864cf36fb

SHA1
0c04f8dbbe458eab90dd6110977cea1ccb5b1681

SHA256
2e3c9510a3fc26db2dd3afbbf3050b8aa2992218782ed7aa8ed7150903363852

SHA512
6221811eae5f7ecb54c1c0b1a972276925ea52d7bb6680346b42df4174c0a0e97569e58c9dc19e882c99ea23b86c587aff2a049d0b4761db5a2a173a7572f3af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
Filesize
50KB

MD5
cd2f3074326840d55a3c3ea1e99e83fe

SHA1
3a2e1d1a93506526ae3ed2b44d584af7771ff8d0

SHA256
9ec9f50ac6a5dfdf7ace0a047ab4e86a7f8ff297030f93f9b8b4e27c57fdaa51

SHA512
0685f7e50451e87f8d7d47f3373d653f7d6163ffa8ccd143a85b179d2c5c51cf494e8b5f7e561436c35bfb8ffb9304f0c49962a8bf7065830f0cc95281f4ae6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
82d1ffe83cfa6233ff423f7803d9ebae

SHA1
09b23ecbde69eab7a517b5d1e3aad3d00324b70b

SHA256
76433734bb880c94c9c1ea0b496896e85c1733a53622ece476efbdc718d44c22

SHA512
269c724c5b981f5f6fac0d38bc4a83dab470da75c17383386bafc5871176eecefc86a5534e066868870b8fd565f1536c24ff3dc6fcf5655694941edfb7f66d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
696B

MD5
b87335f63158be18d9b6b804329d1ec3

SHA1
641ff0095c0356d83b673436e04f1c484543b8de

SHA256
46c008ba4f111d80af2b00a38b1be33def03ec647c886a4950b739227daa55f6

SHA512
979be1cb8aa56664dd7de3761847196450b4116740962e3f92b7341f70e14dd2d4e0216677e4ded08ad800333c50fa0b993cc277bd1e694edd3b5d41e08d9635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\_metadata\generated_indexed_rulesets\_ruleset1
Filesize
891B

MD5
d7a63ccfe52eeb58faa0f0aa441ab878

SHA1
050ad45533af7c85a5369c48e0ce49634ed62d65

SHA256
3a68db4a7ef75fa420da4db273d62feadf29e863800b584f97460cc6584d1f56

SHA512
583c464b95d9abe2ca9504f44bc3030c0698913470cf7a3890f1f9ae79b2477989b27b4f16cc9e61a991ca1af8b507eb9d4b812d766d6f1f0d2200a32d41c80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\_metadata\verified_contents.json
Filesize
4KB

MD5
10b4786a32ad01109a7c05cc33ac6bee

SHA1
be79ab930e6fbcb567ae06dadaa1e44164d91ebc

SHA256
7fef0675ef33864a51665a46415d402afca2d57ecfa6dea577090ac4a553f77b

SHA512
8e076123aac115ab39151320e1261512aed930066b3b9aa973c4a6d849805a38555526eb953f6905dd81a0631b4211bb61d86a7d2326de3f1f2a8f7fb79cf6ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\arrow.svg
Filesize
782B

MD5
098267b50a118f33b7492712af4fa9d3

SHA1
5662445b9138d268cced9ab71670ea69506e52a5

SHA256
0ec47a14edaf377afdf77304c710ca0021201cb4d815c2883fb06b0253a0286b

SHA512
15300c0637c00480416ce5ad6191015df45686393bb3bd3c75243ae60a2572b1a4d2c5d411628aeb271b73880d4f091558f39c9a68800523a77ce9f5f86266eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\attention-icon.svg
Filesize
2KB

MD5
42783644ebb2a199b3618c043b46f0fe

SHA1
c372cc134ab0970a6aaa15f529363aa3a5cb9aec

SHA256
ec38ff640365f6003f28fc3cc54d78c9883147610ca3c395edf4adcb2af91594

SHA512
7eb2e91b12eb1398d22391480574079f22a3928640be3f0d7c4e5230db5f2ef1c48977c1a7e6877f1f4e9a3a236c4410f875fb0f8006a312cb30189d6bb9e9d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\background.bundle.js
Filesize
1.7MB

MD5
44f9279dcd9c8638212aa65168587aae

SHA1
747fdc233277ae0688a19686c7ff7c1783461dae

SHA256
28f057a14e0cbabf76316f5b40379837f6051324212ece121ce9f4d19313a6a4

SHA512
6c1cf62906d6c9fdca1845ae4e272aab2e27adb0b36147d5a3874ee92e57dbaf4e2b91b9079748a2d0b232bd593c42ca3428cfa1b3b158899df7d63442484dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\close-icon.svg
Filesize
673B

MD5
5f40e7e7c28b0ca87c641ac63ca8d4ed

SHA1
5294ad201b88aeb1723748af02666c32fb7c04a3

SHA256
55cb12e3a81865c6daa066fc794e682514a5b75b6b5957080b920def6be74e3f

SHA512
c9ec2ef12853a686f31f344a8796f162964ce8f720fa2ed82bb18fa3ab3d109fb6ee9cbbdeeda67f323258dbe38b55836e238298645713c380ec33f0309d8ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\contentScript.bundle.js
Filesize
1.2MB

MD5
af98f8fb476d0006202f913a5e9f466c

SHA1
efb05cee2d8413df69da60f79a3673aa189d58be

SHA256
532c92bb8318cae9c6b86f4086be760cbf3eb98e8ea87c954d451076af2261d5

SHA512
d63a26b5dad1795432f6ea31917270d756ce421cd7418ec44346d5c057614962dff91d02702e36886b60c7b866fe44d3784cc89767e7f37fda05bd9a7fa4e82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\crown.svg
Filesize
1KB

MD5
0f77ada07f818277112ef9ea68d42851

SHA1
8dff529ff78faf8724400c3a99290794f5be411c

SHA256
c9899b5a377fb16bfd7e641092dd1d6d986ce80300d14b1eb8107d78029865e1

SHA512
ccf41cfb6b96d33ac64123482b0794632a8ddda983e03fe9ba012ae6920fa80205549e828619d95059aa2eda7379dfeb722e480b9a961b7bc57b6302a4fb15fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\error.svg
Filesize
1KB

MD5
46cb02142099310e2e7ec767cf5b9fb6

SHA1
3ab7ca3026fb8c074111ffa62fcc23cd14ce68e3

SHA256
37855a91138cf1b49ed593c041bc1c3a0531253b37d112cba8dbfac467d580b7

SHA512
a5a6825db41e1cc3032fac16b8b441fa7810c521b73d991002729a3712724399df073962c8e16b26de19810934a3ddd95ca24fffcc69a4e9d7a36aaa7c30a242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\f7b5952c19f65d316e51.js
Filesize
291B

MD5
3b290f8525d481260ca0742bea7a2bb5

SHA1
d27aa3a506aaaf18a4220ef8b923ec6c216a8aa0

SHA256
d0a50215fb62fce663f13ba0a458dac84c45e5bec7887e616a970ffe5f7e8f50

SHA512
aa25d82c4069c7431356e84f5e512e644729f2591629a51b523f987d58cfae2443000c8064827268479e21dcbadde18057d7e6361681cf608383e25cb0ca891d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\ga.js
Filesize
44KB

MD5
42112720807959d77d1be121a9fdeca7

SHA1
d7c5a43e3e7362eefe488837a0346bb350db37ce

SHA256
cbff66678e65897e670e7f990d1c2a3051be0a497b0027845a8f1cd718df78d1

SHA512
1e7043ca0d279c43512db458df9e904050ec3c6f9a82af0f3c4083384cf56ee2f3d8e1607d154c7efd863adb58cbfef560930dc28c063e76e2038ef7e37837b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\icon-128.png
Filesize
6KB

MD5
a3c4a97b3abf5c40532df4c73b6a0aed

SHA1
487bcc26a31f4545cada98e13532510784f3d9e4

SHA256
dc9ab4985526d23074e9cf2ee176e68dd7a5cd282c147df32733da083b7ce8a6

SHA512
71c82630413b7d9e8f2541bb036b1884c2e88ba5abee2e6abf79744951f1f2e65f7a3d82fb59c274ad7f02b3e49ee5fa2f20973410db3cc2ca92e6bb3dd42fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\icon-34.png
Filesize
1KB

MD5
15b14e66c46e0a83449fea81f4d0e59c

SHA1
c3512dc47f25eb700e21a04f0925aa9d6996f08f

SHA256
10a9008f1b5e61a13f2fc225e9444f17a30036f76855826ff0f881de880db15e

SHA512
c0296a9252e9ea8336a28a73fdeb6d90a3fbd13cb5699f9b90e8b2e3858f041509e8886d056b402c5444e9b36a5950fdb8dc93dd46c15a79d84e1e579b5cd887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\icon-threat.png
Filesize
10KB

MD5
d7be3dbfb6c292dc440d4f72d073715e

SHA1
cae4a585577f6521e1931d09457694e57b9389b6

SHA256
cdd148cc2f8b3d7f008e2827367ef48a2be499ae34dbd22263854cbfeba903f9

SHA512
14a80c3602ec6a50b15baa23d74e894021a733eb14f541534ce51e1b847e4c25835591a6ec821deca093d384b849491866a340de832d6fb138e51330dc833f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\icon-upgrade.png
Filesize
13KB

MD5
8f0dbfccb36007d663b552bb84db01d5

SHA1
709b15810f26fe075d1037b7d90e196f4471d574

SHA256
07b43077658e1bbc63ac5c7431fd1940f74e8231a532a055de9e2fa0ae79b0be

SHA512
064962f997821ab44b523dc6a7524b6ff21352d90fb9e13281a72ad4d09d3431173d96c71277c92cae023f91d435700169113f14171446d52e65e48b1a44f719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\index.bundle.js
Filesize
1.2MB

MD5
16de618d2c0474f8969d7a0ce2743b56

SHA1
233314e178d535efd3741d0f45f21331d4c78b4a

SHA256
81bc4bfa601d60f538209269f723095b6ed09c018bfa17ff8213667a3c214f79

SHA512
8eb76661b4c6de87d06fbec58de65f7fd34d52c5229eb0f95f5ed04ef2813b41fab7b377b4b31ffaefade600fc902013eaad727c939b5092a1db7ef7512a4c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\index.html
Filesize
209B

MD5
644bc248701f10eba7379e5acc679f54

SHA1
683967d6da88ed1c3fdda6dc6f2706ee6e6a56c8

SHA256
c5ac6719d793831017595726a81f559b5dd5879c83be0ac3f3b526b63ae27834

SHA512
9ad9a8314e306e1cd315e7f2a942a58a4e21f5714e5c38ececb6c8ce7316c54dd454e4d7dbad3591e2466af736aae2f2937157b2e4da8a3e2db6af7a406c1044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\info.svg
Filesize
1KB

MD5
59e2f9e145b1500bf20fe634eacdb14f

SHA1
8b30ef06bec1cbd4704e156f2a7fb01803d9cd8c

SHA256
69739b12cc11ac6e4b417061d3fb46f63cb070a756fa55463ef018ac684248a5

SHA512
fa125384590c831b85f4454a80ffa60fa9dc70d2c95ae4083e045a0cb8ba64a5bf7d3093e8a29fbf1c798ecf777e08824704d9f52523e2453451c8877042b9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\logo-blue.svg
Filesize
6KB

MD5
acc37544364375fc67b44f027773c94f

SHA1
3ea1628a0c300ddafa885e6252e76cd18a952355

SHA256
8c05fe44d139e67155501cfa73c8ec7d683dc0fc42d17869eb8c2e28c8072d5f

SHA512
178a6bd3a043546175468957aa14dd81f2fa8928d6fcd787eb4a5bcc590557bd2a0cf376f5b0aedc7f5215337d5d9ce2dc8b9e4d6bfa66361a2cdabe815fb2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\logo.svg
Filesize
1KB

MD5
79dc69752523d731883714e3d51d6d16

SHA1
c15470643c25d72438bda071d8d5df58ddbc7303

SHA256
d62eec95a7286d7b6cec70d640c8b768df6d8658d2f1f977e8abcef97be5bc30

SHA512
9e47e7736b7aab80c0314db5bf7c1e6dab7b27ec05a9b522161fbdb4b08af83c6d5310d8b20e08a69c58af5168507cccb10cd3ddc3e8be6302bf69f48f1ae6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\logo_with_name.svg
Filesize
6KB

MD5
dc189aa64e1d244cf28b4ddd204becdf

SHA1
507ca39a86ef82c91bc197f354e61525bc2511be

SHA256
736e277722534f42169b407dba838cec5f1c60cd1304b43960728dd2ead9c7cd

SHA512
f748d6e00ffa406662bdaa2df9f824b89a6624e569ffcf6c358458b2eb35853c6f8c61f9a24aa7b213c3a1bbedae224e9c4fceaa2c7f980c87df101de9482fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\manifest.json
Filesize
2KB

MD5
a12f3717c0ffc626c8b4d91186d9fb87

SHA1
8f688d00a4de134795a74d154a667c2050cdd356

SHA256
73d5367fc25a4c1dd3f82ccf16b2d2e6bb83ee773343b133a33ca94111e63b8c

SHA512
630f91f46594f94745e3c7e253872102d0d6836eab9752059d5c6fd4dcda4561c53aa46f5034aea9da595d755160c660da14955c2e368530f2d81edd4b9f3750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\notify-green.svg
Filesize
5KB

MD5
1503fcd48753ef06358170fd69445e73

SHA1
d6f3a2aa835e4b2c0be04075613fea41d99b9d35

SHA256
88b203a1112d57e623abedf9e10aa6a5e972e5b5c891c2f11aa5e34127be3fea

SHA512
2f44e802d4f60b358fb12834df1fcb0e62e73342a5344931e4a791b65b90c4d6ce64e3c198dadd6bcddf4845337c7d1f34254940a48f63ce682032cec89fbdac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\notify-red.svg
Filesize
4KB

MD5
6589532a5a3de2654ee22d784c71906d

SHA1
682235fbc6a2d904aa30b6a2672a5587396b5a52

SHA256
4ed932bf6f3781667a11379b365f009ea8a4d6562a3c88f807700c597c4fd749

SHA512
e22f38a87157103b2c2d4f0a86f465dd9de6a49dd06b92e6ae9b8d11eeba283462dac0565a82b2d931ebac06ee484ef9171e8027209d84d76816d09ce516ee3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\rules.json
Filesize
939B

MD5
5736d36e31b7bc0d59788d30260281ea

SHA1
c2810c0335d1760d2ab337db349c362596df06be

SHA256
79ecc25acaf4d184958e339a9e48a1f0d187f82a676843dc6a40ff907e1853f3

SHA512
046686a280f60d50791ff8bd13989ba4bf058f402bc3d45c3688bc60e8ea91e6e44ec3ae8bf66f1e47b66b336ea8b0f70f20ff1279f6dfb377d662d633296c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\segoe-ui-bold.woff
Filesize
19KB

MD5
52382539737f4e9913e4bf6b9966bee3

SHA1
d58d3dc5ff86fe8ff594134df53ea9b8074f6bc6

SHA256
d711a54cb4822ccf7926b1a95b7a43107fcfe8ef99a817e6906a1063657c7b28

SHA512
55f1767cfb589eca775f2849b975d8311295951f8e457be58de34983531961ce4fada3a856daed8d7cd712bd8b5fad53ceecf438949deaafb7d5cb87114ecb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\segoe-ui.woff
Filesize
19KB

MD5
9a2931180d6b1dc7b33052657eef554b

SHA1
77b8f3cb5410c779206782a310990c19af2b02ca

SHA256
f424915a692bc5a458d6e7d9c99e4fe0cf5cb8883bd3516b01d4fef5da8d3663

SHA512
e839eb6fa727c6a604da142e7c823c5d8b7d8e33b3d19937da7bc1948c32893b08f0ace35c020e391ab0a9694b479b28282024c3518dac995eb87fd7aa18c631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\showPassword.svg
Filesize
628B

MD5
d6a7937f32947117d671b97a99ab717f

SHA1
960ab573d0aaa25469628597244af771a393fa06

SHA256
68a365e327774b2d276843aa1644580f451b848821a248feef3eedbeb8197a99

SHA512
1ae80aa857bcce870940ac3e2a679cc8380344f88ac080ec007eb7f251100f93911cf13311abcda532ea06e053f4060e9b7329503c587582ec846cfe9c6468db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\Temp\scoped_dir4976_911350478\CRX_INSTALL\spinner-white.svg
Filesize
2KB

MD5
2049676c09dba77c3ee0636c83dd8983

SHA1
a0f3d9acfb36cee004aa902280ad84aa81372cc9

SHA256
99525a8a9f0ef0d6d4970bfe07cf79c75a89453cdfcb5797f57c7b69ba0504de

SHA512
0acb6438a22c77ed99896d5b6844f149e2a4df4b62a1b399df39b15854308193e69dbcd9c53860f53288ef5ea86f15e6594cc1c4231fbdd2ecc1e19af24d5cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
dc4e2d5fb0438b42468607f8a6ff8642

SHA1
f77e631bfb9ef1df4c47fc14b6a4685812ab2ec3

SHA256
98d5baa39144c21ef4e807afd23d59cf3b160f9cdee285aebfc90a7abe12f23f

SHA512
f93cd0ca2d3ec16176869599e3945e9a8eed298f1567998db6fe2fa6b61b66aee358f0e5daecedabfe734a9ce3e1f507ad3e24563b3432fefeceb3eeb987d82c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
0dc0f324a3affcc314dd8e960eac7a6b

SHA1
55bcaf8d22e350a3a5b5e660de539f89c3e35955

SHA256
7e40cbafdec72155ebfd22ac36f70030bafb1d3f57a8b6e511612adb1fc75ecf

SHA512
861f8110c257d51c9e93cea86163eeaaf736fb789d41e36f50046ac416ff4db4f25e024730c8225960db9e90e1b43c4fdc39c0b5fd4c7a006c50141bb61fbd40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
2b3e0bddc5e66c5d24139e94b885ec77

SHA1
7676ddd5566295decdb76b5cffa6c24d355518b0

SHA256
33c1a8bae0546f10a6db3cd33720d8c06fe5b6dd28be1582c2e54ce2f5c07157

SHA512
b7bad1f63f99305e0db7fdd10c0b8069917ad0287e1834ab51917a731cfd29e9a251e1c0c94c2ecf7cb67fca4057480b374e2d6bf973024176d67fbe7a5f1525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
c8b07515e0418691fe93dd5fa3ade54f

SHA1
a7d97683ede021f815e07cdd85708cf4e055d0d2

SHA256
c05742e543504eb218d13c5df16a06929ecc37294dc534ef96b19c516c754730

SHA512
13a7ed4472f6f5b7165d4e8d261b09985446a96054b5f7277920893ea04b0d63291c37295ee3716a5db8a2392e4adadc10270963e440cc97d91a0fbc7a83ca17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
0261ecfcc46e4364447c346988097502

SHA1
a4e04540eb9b0a9713a95c0b40cccea82fe9bf87

SHA256
519c3de83297d344bf87a7a12d9b351c55f29b91d3fc03f5ee3ba399151f6554

SHA512
e27a18d1ba227d771029f20f1603ac9615fb1c5b7fd075fa48b1458e63fbfc7fe558e295043d59e0736d3efdd5bc1af91b01a1fe377215cb06dfa146ec42b3c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e67b1f8663ebe2cdbd6c67859085858f

SHA1
37f5d34fc9bddf2f64141870bf835721874bd671

SHA256
754d9364633df241d60bd174c78c841f6da0fe8ad8d8be82f4733ad279ae64c9

SHA512
36e1ad03468f6cebd19ac78818215c5741775b675165dc1602011cf8d9b960b4314ad9020f78a261b6ebaa6c3c7d0826679f1166303505784687ff24d6515185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
e67b1f8663ebe2cdbd6c67859085858f

SHA1
37f5d34fc9bddf2f64141870bf835721874bd671

SHA256
754d9364633df241d60bd174c78c841f6da0fe8ad8d8be82f4733ad279ae64c9

SHA512
36e1ad03468f6cebd19ac78818215c5741775b675165dc1602011cf8d9b960b4314ad9020f78a261b6ebaa6c3c7d0826679f1166303505784687ff24d6515185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3e3f18c029d046b95cadfdee4da17c93

SHA1
bc9c6156c267bdb7ff1cdaa882bc1f342a009258

SHA256
2443641b5b7fc0993b599428dea656a6bb2563f8a392f958780b7716f8f61417

SHA512
363243e2e8e80332c75487bf9104491197ba21b6e06ac0bc52501087035fc001047945fa98bc1f8980d6fc0310cd2c5a65bf8747ca2b95bf580f4bbcc6516641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2384174bde7f918dddb15664ddf70ed1

SHA1
b78136c82bde4b155bdcbbc6d04a5e9e166eb1b3

SHA256
1acd24d147926b9d344d564d48c71cbd7c7406c0f39030eaa1f43bd962cc9f6d

SHA512
b56a4002925422024efb241f039ba2b7950f2444d0bb4085ace849cd925432cb3c38d2d43a34eaf6f39ae0aaa8c4cf7d8b8c05e46791beec6301bb47dcaf2b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c73e9bd39ed55d9f22c13392e29f924d

SHA1
95ec3608cb94eef96133fdfd62920ce5338417b4

SHA256
b16f56bd62e1736e3e680541b9e683f4b0c724671851c33d70bd20e74d9e1e2c

SHA512
a6f9034e401dbc0f4bb3823d4e73a05e1bb44fc749a3185d14b2927b2dd29ca443449d059b6246c3e6cae7940cd2525816e73516d624e10bb48d4cdd53986627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7a6ac400174cc30e3c224de8c73d98fd

SHA1
8caf0599a40355a56381558e4a1996b8ba55e2bf

SHA256
0a11da4cb3e205dd8fbb8c6648166258816ec1220beb64ed099c7957ca7fd711

SHA512
cba54837218c8c15f7d1b8409763018e6360cf5b6e4d009518307bd21f4e8eb352bc20f5b6abb513f4b146c86fb28a514af3b5369be8c6fbbc8f36875010abc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
54864fc0acdac0b331d81f26eb74ed21

SHA1
e82200668cb76c2b3a0b054ca1f8ee93db6e2474

SHA256
e9396131f55ff8c25c41b2dbd651f8c76f108c8bdabaf01a235716f572aa01af

SHA512
cb746ef4714795db445656b65b9dc7f4b3916634dba95a5dc2aecb06f11c01942f99785190d282a262b0750598bea082222680c7e8851c1ce54f4902024eece6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
dbf4a29fc6fdea59efa975888f5465ae

SHA1
b706e3dfe3b8eb268809635f6fb628e4c95f057f

SHA256
f7a9378b455fd23a18b0eab4a4a601b8504ae96aef643d161de0253ce4a98164

SHA512
2ee4b79ea9e948306eb7c1c5f56adc8e6ba632299592335bb44234695a201103936b34acfcd0316b146b7b44286927956cd03e5e4f4143730f579dd0bfb4447c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3c313e2347b6ad664c18b6158d7f409e

SHA1
b68318bd94084a6a39bca8afbc5a5394678ad9ec

SHA256
c2299e2b5a43e77dff417d84ccedf976aa39a686ce5e68eb0b9101bdc0be3bd7

SHA512
880a911e468701698ac6315e872bc28146fff3d3f62fe0da2de71d41dc4bc786fd779e79898257191a8f52b81e3560f4255d9b6135f7412be0fb9f0784096f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
d0c55fc64023cf05e37b63e8c756c326

SHA1
af6fcb21cbc71ec2e7dc59904ea80784cb930737

SHA256
511a16870cfa2a1cd1893b5a409318c62494369ba8a7d53418fd5212eca96a80

SHA512
cc7993495fceb3985bb6d6e7e7f721af5d461d755336a3cb24761f5ff347fb5cc9ba4269cf25b24782d5e1152547f4e7fa5a2c17247ed3fe02867b0a5e9c9c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
8caf4d73cc5a7d5e3fb3f9f1a9d4a0cc

SHA1
83f8586805286b716c70ddd14a2b7ec6a4d9d0fe

SHA256
0e0c905b688340512e84db6cf8af6dbdfe29195fefde15bd02e4917a2c5fda8c

SHA512
084ef25ea21ee1083735c61b758281ba84b607e42d0186c35c3700b24a176ada47bf2e76ed7dadd3846f2b458c977e83835ced01cda47cdd7ab2d00e5a1a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
8423ce04885846b503a826a41c3f183f

SHA1
27df65f25eaf90c4884126d0b8d1e3e0a1f4ad63

SHA256
125c084364d12f05d315f7f5328e71851519502be3c46b75d5745c5d53acaa00

SHA512
212f6299ee3acb8c36a00c6e39c096e58cbbaa2aba692e64d896526ecacf8aee74291f76d407fc7dc85799a41b5ea3ac7aa7fc9d915ab3dd9f832b86523ee3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
4916850aaeb020a54aabf4dc0e9cfa89

SHA1
2b91a096a359a18d1a49f416c55ab2b5cf6c72a3

SHA256
52f566fe3ec34080354eba644967e3eebb05b1ebefc332cadd9d86316e43f2ce

SHA512
0f434a4e1ad901502dea699a3c2783c695e74b9c158fc272f0ebbda464e49082a121a01934c6c30f024e316acc6811c4728aa4a392399594f95cee3b638f64b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
7a11e4b9e4bfc4377f57bbc07515e67e

SHA1
f1e7bec26dd316dced9abef25e1bb34c95bd0b0b

SHA256
bdee7d4444a154cdcac5cdeaff850f8c4f6e98a40b37c232bac5cc04617b5279

SHA512
c8609e5e7f92e48b6070fbdbd2a768e006f89ed78100ffa28fc113ada5a28eb2eb2edf1c4ed689c487fce146ce6781b8ebc0ace1f6ab27fa5039836dc47d5023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5dd99a.TMP
Filesize
1KB

MD5
6a56370fb1733915b7ca528dbc6431cb

SHA1
86e30b7ea7f728d6987824cfa0b98156bb0fe528

SHA256
2392296a8302cd6ea38a0532bc99036403694ac1ddf69bea1dd82322660da2c1

SHA512
bf313e588f7d559c64b020af3b790999ed8f97316c4d9ab6145d2d4943550bf58cf1b2c2dd73bc25c8bde5303633e03227913a068a334f06286fc0034f9a8876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
2c4fadfac52e537afa87c17293b56a75

SHA1
40a7c87da63e55573033062fbfec7be7f906c204

SHA256
ca09d6be253d84ff046e99c912de8a52c42c4ea6598574b761929a7b223edc8d

SHA512
89ca2e07c64a62ea7346be704f81143e292427050e66551d8443ce22ed06fe8fa8fd2eb8a8a4c87fdf1924982f50a5989075f1bc0f45b306e1961550bc8e63fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
42b0c61e988f21fc12a10e1509b97062

SHA1
3582cf39963a1de76a8b911ff0365454e3cd5381

SHA256
3dc227b4eb1e0f392adf9cced798b650fd519efe74184d95d2cda8873834a60e

SHA512
815a238370351fbdb5c9e1ca8b99f6a34257ba4a11cd4955d0061863afbbb964e9103613e711586aa5e177a108a9351b8ac0f5eb776f2eb2d2203f0f7807fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
a7e2c597c5f5403ad2c865419b1dccbc

SHA1
1abb6917a1662ffc4b4772c7b6e8f69f0a6c43f3

SHA256
46c9c225e3a9129f26c909a8acccd5d802fe3ae8ec26f92b45603bd1b752bb21

SHA512
5970a1505588d8d09f8c1680aad48a656e2a7aeda6366dcba2a40a6048ff43e91bce220ebe36d7fe665430bcb31eae2d0ffc578d75d9a5e6fa8fb78cb5e025ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
c3be0c82c2331cf6e54dc2a426f91bf0

SHA1
eac5f2c4885c003619af450dfece4aa299695655

SHA256
265926ce04a9190fd54fb6b74714e1c45ca8c505e04ece576f8b7a202e3a95e2

SHA512
0c9ca684c97dc3378e5525b0a81f92001411671374699f2055e3982e642587cecd8c93848aa29def935efb7b354f1c3931ddb9e22c0c4756dfe6a98c807dc286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
61017756c214f43074d223d1973cb718

SHA1
ad6c795f24ff43e7af9cfe73869b40e58a988346

SHA256
44bd375a1b42d0f8f355a0808366648219f4e392e05a4267382d09cd1f7bc071

SHA512
4323356549b336b81a773ec5ee0910a705ab37942a6844ac46a4ec51e4c64adc221920ce08916b884feb4baecf1bd1c60e0b55fad10943add3fdc1575090e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d9239b3-5e56-49ee-ac53-f11294cf02c3.tmp
Filesize
17.8MB

MD5
85aae2dfddc0a78d5be1e9bd6b4142bc

SHA1
6101c4b8d9878ebc297620be4e9db35e03a3ff15

SHA256
31db24633019e20bc1775fc67bab6054d93b745dd5e6a626af7072f743398982

SHA512
4cc95dbfb4fac7b81bdd50e5b57157828f55c798c17116f228751b69debaa32785c4e9905891c30236e32dd8106c230ad438fef0d1a2633b69868aaeb1f2ceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\41qqitew.exe
Filesize
1.8MB

MD5
02b8c8ab23c9cb720c673576783308d9

SHA1
0fb36aa632d8e5d66eba75e8a042ab7be8a5079a

SHA256
241bb078c0d6e5108fa6679eda414c5fa7ee5d8432f03bc1d0e07fd4a17d8b38

SHA512
204a57d0c18e0020e8965c723642819e7127d641970353497cb1ca24b11951798aed029bc11324d22a48229dad57b26b733fa50c6589011d77d9efd44e48b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41qqitew.exe
Filesize
1.8MB

MD5
02b8c8ab23c9cb720c673576783308d9

SHA1
0fb36aa632d8e5d66eba75e8a042ab7be8a5079a

SHA256
241bb078c0d6e5108fa6679eda414c5fa7ee5d8432f03bc1d0e07fd4a17d8b38

SHA512
204a57d0c18e0020e8965c723642819e7127d641970353497cb1ca24b11951798aed029bc11324d22a48229dad57b26b733fa50c6589011d77d9efd44e48b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\41qqitew.exe
Filesize
1.8MB

MD5
02b8c8ab23c9cb720c673576783308d9

SHA1
0fb36aa632d8e5d66eba75e8a042ab7be8a5079a

SHA256
241bb078c0d6e5108fa6679eda414c5fa7ee5d8432f03bc1d0e07fd4a17d8b38

SHA512
204a57d0c18e0020e8965c723642819e7127d641970353497cb1ca24b11951798aed029bc11324d22a48229dad57b26b733fa50c6589011d77d9efd44e48b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fd6f1cb-23ad-439b-a120-421470367522.tmp
Filesize
1.3MB

MD5
aeab1dafe03e7894ba01726dfe291228

SHA1
bd29fdae9fa8b16e3210b19ad8194594bcf00f98

SHA256
1343216d3863a4ef1cc30c093af75b759ca63bc7fc0e0a4e6d1c353d6c6b380e

SHA512
a667eebbfe8af22c7e7e72e3ca7571b2d120b3e482c9950652224f24d8d502ad8177e74945be1ea28cfb269508a43116809bbe5469a19f472a4b8b9795e2f5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53df72c5-71d7-46d4-b4e0-eb25018b8ecd.tmp
Filesize
841KB

MD5
c61389fca2661443d4e9dae09b66a40e

SHA1
6fd272b175126bff11eaee0cdfba06d116d61d1f

SHA256
e12ef168a0182030e4ae9b546e511765b4edd0563d777fd3bb304fe8381a1f35

SHA512
357970c1ae7401e3e70bca12ec33b63841ad1afbf617c95b259fae0283ba556cc8535d001f4268cc5722f2ef0cab587fdb97287429907dfcda848fe8322382dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\df2642fd-5d44-4dcd-8a2a-6206c2d3bc7e.tmp
Filesize
2.8MB

MD5
f75cbfbb5eaa5f46574955ed6651da78

SHA1
4ce276c03898e57667b401761fe1df5f11304a68

SHA256
643962e7cc16bb8e9edbea5f05473764199c7179d06a65bd88a0d101d1d5a9bd

SHA512
287847c5caae39fc80e90ae105a5fb0c9349f402872721c599eb9c9ccaf171437879f0ef8bdeae923bf4520befa316b60acd3e975caf8496f05dad24e1b34e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\AVG_BRW.png
Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\AppUtils.dll
Filesize
1.8MB

MD5
43ce6d593abd5141a3139603f352ae05

SHA1
a97c75e23d275dddfde15ef5fdf3ff3253c0992c

SHA256
94e874f2702ea6be50e7d74864b66e7f763449c3db237803f3fad6adfd64ed3d

SHA512
bfc527529e5f73ba190dfc5bd043175c7e2ae963b665d6d39421c29e025020f1d593dc88b7bee33d86ef6b4f7a4c5e1a0339df4e99cab6849a275d1dda9f439f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\AppUtils.dll
Filesize
1.8MB

MD5
43ce6d593abd5141a3139603f352ae05

SHA1
a97c75e23d275dddfde15ef5fdf3ff3253c0992c

SHA256
94e874f2702ea6be50e7d74864b66e7f763449c3db237803f3fad6adfd64ed3d

SHA512
bfc527529e5f73ba190dfc5bd043175c7e2ae963b665d6d39421c29e025020f1d593dc88b7bee33d86ef6b4f7a4c5e1a0339df4e99cab6849a275d1dda9f439f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\DimensionUtils.dll
Filesize
1.9MB

MD5
ce2dc2cc12aec529511da19cf63ba802

SHA1
5b45c33a34df73920077f546176a3aa96df0f80e

SHA256
bde7cc0193ad2fbdfa9f072d9003bf1c82cd27e027b2e038343514f8cc8ee6d2

SHA512
98b5017e437b05639238b63bdf6cccdea7665f3fa0c55e87e8c7139551c213b1a63d641d588b950346ec66bb03b4800dc4e3dd4c60f80e0e76779b1ba58d2be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\DimensionUtils.dll
Filesize
1.9MB

MD5
ce2dc2cc12aec529511da19cf63ba802

SHA1
5b45c33a34df73920077f546176a3aa96df0f80e

SHA256
bde7cc0193ad2fbdfa9f072d9003bf1c82cd27e027b2e038343514f8cc8ee6d2

SHA512
98b5017e437b05639238b63bdf6cccdea7665f3fa0c55e87e8c7139551c213b1a63d641d588b950346ec66bb03b4800dc4e3dd4c60f80e0e76779b1ba58d2be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\RAV_Cross.png
Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\WebAdvisor.png
Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod0.exe
Filesize
44KB

MD5
f167f258f98e3fed98fb91e2f99c504f

SHA1
c11087a9523988e7e6a5d557c8db275fc876cc9d

SHA256
aef94c8b474bbcd53c02c88fc55790879cd399a91c2a5dc5f9a3f369b239d33d

SHA512
8e0bc5d26f0d6f62e6209aae2b1827eff53cb22b606e66f3608c9c8bd64db909ba871b213802ac5eec28bd6d8b63d2d884c298b9532c1ca204e9dc1ec552e063

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod0.exe
Filesize
44KB

MD5
f167f258f98e3fed98fb91e2f99c504f

SHA1
c11087a9523988e7e6a5d557c8db275fc876cc9d

SHA256
aef94c8b474bbcd53c02c88fc55790879cd399a91c2a5dc5f9a3f369b239d33d

SHA512
8e0bc5d26f0d6f62e6209aae2b1827eff53cb22b606e66f3608c9c8bd64db909ba871b213802ac5eec28bd6d8b63d2d884c298b9532c1ca204e9dc1ec552e063

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod0.exe
Filesize
44KB

MD5
f167f258f98e3fed98fb91e2f99c504f

SHA1
c11087a9523988e7e6a5d557c8db275fc876cc9d

SHA256
aef94c8b474bbcd53c02c88fc55790879cd399a91c2a5dc5f9a3f369b239d33d

SHA512
8e0bc5d26f0d6f62e6209aae2b1827eff53cb22b606e66f3608c9c8bd64db909ba871b213802ac5eec28bd6d8b63d2d884c298b9532c1ca204e9dc1ec552e063

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1.zip
Filesize
541KB

MD5
d6be5546bbce27020b742c5966838158

SHA1
7e9e355995b2a379f2e9d39b7028bc1ad27ca8ba

SHA256
49082ef6e5b8ceac180171309611eac88dac603684cde04e3725945a6722bce2

SHA512
c6c24da7f2d1ee3bc29e37bbb80ba68bb963f3d16a20eead4cb77e9c370a1cbb92a23073335dc4f1cfa21dc175419343045de6b4456165a256bf62466eeabd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod1_extract\saBSI.exe
Filesize
1.2MB

MD5
2c5cc4fed6ef0d07e8a855ea52b7c108

SHA1
6db652c54c0e712f1db740fc8535791bf7845dcc

SHA256
60410875199ad0bf34cd8402e0cc9151caf919fe98eeffd7056285e7239a3474

SHA512
cd8622cc38270caaf90ba61058a80d5554700dcfbb05ee921dde9aba7a1d6a068f24e73535baf3bbf4d2cc63d84cfe362cfa67df201b401d52b5af490610b0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2.zip
Filesize
5.9MB

MD5
7b0f6e9c1e607427d0f180ac4f08eba2

SHA1
9a62388895b720575580ccf2667d633ed9bfca34

SHA256
c08fa28109da1394f039971efc2e8edf7a59413138dd8a62d26e456e323e6aba

SHA512
124f70961ff4aace95e60ddc9e3e3779492dabdc04d4b75028c3e6c308e77277a69041d97ee3a169e9d291c2e73f94ed2efd85ed4ecf8e572e6f09aad5e71b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2_extract\avg_secure_browser_setup.exe
Filesize
6.0MB

MD5
2099532cc61484aaa604e1a05d02a3a4

SHA1
45bf61807173015e39dff1813c3d8f3cc4b47bea

SHA256
ef02cfbadc8dde416cd03fd856919012896e652fecfb15a9d1b07299138b05c9

SHA512
a71508d95d84c1f5c3cff98fe13451b26249bb462badab275beb715ac9bdf9715402e422702fc7f33f510248d171336575cf82b8c640288e665025ae3b15fd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2_extract\avg_secure_browser_setup.exe
Filesize
6.0MB

MD5
2099532cc61484aaa604e1a05d02a3a4

SHA1
45bf61807173015e39dff1813c3d8f3cc4b47bea

SHA256
ef02cfbadc8dde416cd03fd856919012896e652fecfb15a9d1b07299138b05c9

SHA512
a71508d95d84c1f5c3cff98fe13451b26249bb462badab275beb715ac9bdf9715402e422702fc7f33f510248d171336575cf82b8c640288e665025ae3b15fd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\prod2_extract\avg_secure_browser_setup.exe
Filesize
6.0MB

MD5
2099532cc61484aaa604e1a05d02a3a4

SHA1
45bf61807173015e39dff1813c3d8f3cc4b47bea

SHA256
ef02cfbadc8dde416cd03fd856919012896e652fecfb15a9d1b07299138b05c9

SHA512
a71508d95d84c1f5c3cff98fe13451b26249bb462badab275beb715ac9bdf9715402e422702fc7f33f510248d171336575cf82b8c640288e665025ae3b15fd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CRMSP.tmp\side-logo.png
Filesize
29KB

MD5
06b0076d9f4e2488d32855a0161e9c74

SHA1
7dbc3c098f7fb1256aeca79c256b75802b5fdd69

SHA256
929243f002eb4209a9e68af6744a3d63ece2b173c910a59d6752536dabf3870b

SHA512
7cecc1fc1c13f97dfe1ae7592918c9df16233851a8dd667ac2199b92fd24410a6ef76acfa014cd00aad2d27dfe2887f41100563cf2240f720466dbebaed0375a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAD7E.tmp\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
Filesize
3.3MB

MD5
36b37e0b2ce4747ceac6f895ec3e1660

SHA1
1b961ff51b855a48626bf03326ac08c68744b3ca

SHA256
d189b03c957346c8beee98d3f2b1956381eefb67e7818b476e93494e28acd681

SHA512
ac8a2797769743106631a2aa8f36940ecad11c6c91ac8e86d1a846ffeb3005a3704ce1401290d9dca54b859a4c5ee261c8804f7b7e8d59a01047a3e1126d150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IAD7E.tmp\Precision Targeting GUI - Linkvertise Downloader_Zi-4nB1.tmp
Filesize
3.3MB

MD5
36b37e0b2ce4747ceac6f895ec3e1660

SHA1
1b961ff51b855a48626bf03326ac08c68744b3ca

SHA256
d189b03c957346c8beee98d3f2b1956381eefb67e7818b476e93494e28acd681

SHA512
ac8a2797769743106631a2aa8f36940ecad11c6c91ac8e86d1a846ffeb3005a3704ce1401290d9dca54b859a4c5ee261c8804f7b7e8d59a01047a3e1126d150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1709.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\97faebdc\5563a086_49c4d901\rsJSON.DLL
Filesize
216KB

MD5
df8d7a97dc83790390d9d7aa4e680633

SHA1
a4d9adf4bb7747c2bc5ca420a67b5dc06a2df5fa

SHA256
b6dcbff7700a5900c2e6aa46b0584c6f290faac82c373fba6fd574c157c381bc

SHA512
05b918baa972dd1889e5e67c329c6c8960854b60ccbdd623973b361452f52cefc7b0096079c6510aafea2495d59c106bf44f98d8efebf5b7827dbdf122a120ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1709.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\c4753e72\5d9f9b86_49c4d901\rsAtom.DLL
Filesize
157KB

MD5
6a8559715305276683febc180e20cdc3

SHA1
1925e950450502bf4639affaba96cbf4eb7bb575

SHA256
2957a360d9692d7fb2b516f5e567c93be9fd32b0dba7b5009de9568888567817

SHA512
eba2971da49c5f5992120b15fbc5fa1b82884479d4f809677ab8aa504b33c07995d2cc53c34b8e26cab79c5768a9d660a1c975854f4b772db60d49873b01e0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1709.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\d647e5fb\5563a086_49c4d901\rsLogger.DLL
Filesize
178KB

MD5
b0d5abcff05912b4729eb838255bb8fb

SHA1
6fe88a4f5becc8a3b8992483ca49818b3b853d84

SHA256
5a4380d97b3b419b38b32e723f52701f3b09d7d6d2774b309684e829c1116322

SHA512
cfcd090f02b56d45d47349143a125232267976518fca1a3525af39fa72905510b1e8f06396da1e5258a89ae8568bbf4adaf2586194c54b3c16bccef06e1dc1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\System.Data.SQLite.dll
Filesize
362KB

MD5
7d7b0c1448bf2d8f186efa1f11d62af3

SHA1
4f330fc18e367599e00557c19f43e45cde490314

SHA256
acc70d214497f7db04a9867ee49e46d7417fab103cdd81277092ce9086d8cf38

SHA512
2facf94d77f35af19cff5b37d503a7d4198a4b7e7100f71ff1de14c4589450e5936db82052b24136c43b2560b53f4a1495ed2c5c4d1c79edde27b8e2291d0d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\System.ValueTuple.dll
Filesize
73KB

MD5
b4f3c3fea554dc48a945cfe172e9e72b

SHA1
cb163ab1c8876ca1ee93d8a8759e1e8d4ea2d329

SHA256
798413449cc1b6817d4929ee92314020fdc7f918eb937f6f2cd2ef66c846eb9c

SHA512
55484c9697caaa624e150cef5214f70624d561f52015d4867cf6b80145073907592342e9273f9dc6c00e4e8dfbfabf797484ab8b0e831f197ad859656c53e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\rsDatabase.dll
Filesize
168KB

MD5
d6e488f7f51f0ba6b09fa0644dce9634

SHA1
fea825cf27482723ed60137360f7405a599e464d

SHA256
b33ebcc105d10a0ec67278f1d3e40cf7db822d245014ddfa3a55c2d182df7f90

SHA512
bc415f7bbffa274511fe79116a54a5a1928569d6339562667f5a6750f65717e620c001cac98eb7f14719936d5941228a88f34177ac799416c5609f458019e71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\rsTime.dll
Filesize
129KB

MD5
ec1463c2e6b81a7d40d1742dbdca5fd5

SHA1
89f1e825fb55a06a25d8cc617691d8933612df4b

SHA256
f177e0dbac322124e27932b57e35cc236259eec0b90fcf99dd70755e4eaffd85

SHA512
873189e15a3e567bb1b286c94f9f48731750214c2ff88fd10b53a212ea935551b9c13a209e1635192be670f9bf6286270f2c759a22141aa7aa7075e0af90e0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\5f3ae118\ec7570c6_49c4d901\rsLogger.DLL
Filesize
178KB

MD5
042638a0a67afc67824c3c2b7bf05b06

SHA1
62627b2e5959c90db8c829aef08896d35bacfe4f

SHA256
b051b6fc58de06594aa522090f3e5b35d71d54de7691ed116649e3368d2bf05a

SHA512
d35f6457ec8db36e648b12946fa73ba1d6d1971419cdd14101f7cc8a7f84f78aa3a83d072ed7b2567d01d6669585499d4f6b3604b9de9e7cf9f86ca5ea86901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7262.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\73a4fef7\2a4f70c6_49c4d901\rsJSON.DLL
Filesize
216KB

MD5
87f3a996498201ac86e829947623d82b

SHA1
a9b5d7fca9c10e7b31cb09dba9256437d966e334

SHA256
8eb38e05aa935c8d88e4034cb46cdf5a0ddb52651869aa4044bf6d5e9c0868ed

SHA512
9d1953c543e97b70e6bfa01158f8ac95910602c40b5b38dec5683092fb2994434d2952aeca66f0f0fa502615a06be71da220ad72079862ea7f01438a069545e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\AVGBrowserUpdateSetup.exe
Filesize
1.6MB

MD5
34a8f08f336cc90a6746e954252074d5

SHA1
6e15049f46b7d84f72f5fd29b5763092101ffab0

SHA256
9bb292fe2685e6e274ee309c9c5926515cb126da4ff10b94e1595b9f63499ce7

SHA512
18c540e47d363561c59eb57ead438d5e1ee96f2b36ee4089789d7c5bf6ddfece2b4c9031f65521427ddff325803ba85c632b0082c224876d0d8668f22fd8e55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\AVGBrowserUpdateSetup.exe
Filesize
1.6MB

MD5
34a8f08f336cc90a6746e954252074d5

SHA1
6e15049f46b7d84f72f5fd29b5763092101ffab0

SHA256
9bb292fe2685e6e274ee309c9c5926515cb126da4ff10b94e1595b9f63499ce7

SHA512
18c540e47d363561c59eb57ead438d5e1ee96f2b36ee4089789d7c5bf6ddfece2b4c9031f65521427ddff325803ba85c632b0082c224876d0d8668f22fd8e55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\AVGBrowserUpdateSetup.exe
Filesize
1.6MB

MD5
34a8f08f336cc90a6746e954252074d5

SHA1
6e15049f46b7d84f72f5fd29b5763092101ffab0

SHA256
9bb292fe2685e6e274ee309c9c5926515cb126da4ff10b94e1595b9f63499ce7

SHA512
18c540e47d363561c59eb57ead438d5e1ee96f2b36ee4089789d7c5bf6ddfece2b4c9031f65521427ddff325803ba85c632b0082c224876d0d8668f22fd8e55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\AccessControl.dll
Filesize
26KB

MD5
604a2e2ae485971e2fa3c87381c34fa7

SHA1
47cf889e2337bb226d3cc91b30384a8898c001ea

SHA256
5c5299d0b5ec902d6e17c81ba429094d943c38f6852a76292bb6bcbbf44aa163

SHA512
c4eec8ad90c476f3fea8b3f5f5b5bf0b0e347d764d04e8d6cbdd5e0cc9a55f5458442c9234f9542c56656974846920ba53bc797fbd187735c32746d7c0c52cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\CR.History.tmp
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\CR.History.tmp
Filesize
124KB

MD5
dc4e2d5fb0438b42468607f8a6ff8642

SHA1
f77e631bfb9ef1df4c47fc14b6a4685812ab2ec3

SHA256
98d5baa39144c21ef4e807afd23d59cf3b160f9cdee285aebfc90a7abe12f23f

SHA512
f93cd0ca2d3ec16176869599e3945e9a8eed298f1567998db6fe2fa6b61b66aee358f0e5daecedabfe734a9ce3e1f507ad3e24563b3432fefeceb3eeb987d82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\JsisPlugins.dll
Filesize
2.0MB

MD5
3f4f65c3551435aa4f70b23db238e027

SHA1
10a50d1003a2da42b869527098758bbd0c5a0b93

SHA256
3d52f17598297580cc04e8698010d8234b199250803f826fa03031a8f8507e7f

SHA512
15b9f0ef917167ed1c3fcbf6235ec277665abb662f26bf338bda2dcc815503b27eab4bfea88f5e4609a40a02f88a87a28d02ca1e4a7575905cb9217b58151a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\JsisPlugins.dll
Filesize
2.0MB

MD5
3f4f65c3551435aa4f70b23db238e027

SHA1
10a50d1003a2da42b869527098758bbd0c5a0b93

SHA256
3d52f17598297580cc04e8698010d8234b199250803f826fa03031a8f8507e7f

SHA512
15b9f0ef917167ed1c3fcbf6235ec277665abb662f26bf338bda2dcc815503b27eab4bfea88f5e4609a40a02f88a87a28d02ca1e4a7575905cb9217b58151a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\Midex.dll
Filesize
126KB

MD5
00fd199d6b8d08446f4862c31b191ca7

SHA1
b6ff09243cb10e34ed8efbdd822add98585008d4

SHA256
1b2a0de815e288161f0a156b4d1f17f06d2f4840b71d9d1903ad1284192cde24

SHA512
fd5e07ac20a40600c2117793f1c5253f2f6113c38cafc71ac87296d92c50217af4aeb3f44fd2834ec08d89dd8434ab1952262123eced279210236bb770c18ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\Midex.dll
Filesize
126KB

MD5
00fd199d6b8d08446f4862c31b191ca7

SHA1
b6ff09243cb10e34ed8efbdd822add98585008d4

SHA256
1b2a0de815e288161f0a156b4d1f17f06d2f4840b71d9d1903ad1284192cde24

SHA512
fd5e07ac20a40600c2117793f1c5253f2f6113c38cafc71ac87296d92c50217af4aeb3f44fd2834ec08d89dd8434ab1952262123eced279210236bb770c18ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\Midex.dll
Filesize
126KB

MD5
00fd199d6b8d08446f4862c31b191ca7

SHA1
b6ff09243cb10e34ed8efbdd822add98585008d4

SHA256
1b2a0de815e288161f0a156b4d1f17f06d2f4840b71d9d1903ad1284192cde24

SHA512
fd5e07ac20a40600c2117793f1c5253f2f6113c38cafc71ac87296d92c50217af4aeb3f44fd2834ec08d89dd8434ab1952262123eced279210236bb770c18ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\StdUtils.dll
Filesize
195KB

MD5
9a44ba9a6e36099d8058fed7feb1ca5a

SHA1
457679105484f604606db9b7cfc809240620747d

SHA256
445a8c41038974bf604cd826e192da08431e8b0c72f6a8ecb6894f8c5a6c777d

SHA512
34b555ef7e3f2a4b700ee4755dae68e42e12533d2bf688cb0251691aedd62120b8913ebec16d2fc239fe0bd1aa1d3657e0f456c1ae260e6f6154b4aef3c9f68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\StdUtils.dll
Filesize
195KB

MD5
9a44ba9a6e36099d8058fed7feb1ca5a

SHA1
457679105484f604606db9b7cfc809240620747d

SHA256
445a8c41038974bf604cd826e192da08431e8b0c72f6a8ecb6894f8c5a6c777d

SHA512
34b555ef7e3f2a4b700ee4755dae68e42e12533d2bf688cb0251691aedd62120b8913ebec16d2fc239fe0bd1aa1d3657e0f456c1ae260e6f6154b4aef3c9f68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\inetc.dll
Filesize
37KB

MD5
7fb1bbff6382a4d6143c76a5453bebb7

SHA1
966fb24bf152f4fcfabd6dcaf5f8df9276caad41

SHA256
90b21f42d547e2f1849abe573a1e87353c9fa534eefd4576fb6d4ed6b7a449dc

SHA512
0d503f2bd3d55f62bc962d1e29ef0c39f784f7ed549de8f39494fc22cd6233f26df6a9177c9a5fbdd76272cbed83ee2c1119d5aea843164008ef9dcce4fd19ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\jsis.dll
Filesize
127KB

MD5
465d5265bfe5b90f821235f0e13ba5e4

SHA1
da4d81c230b3aaa1e0dc891df8650e3a777da263

SHA256
ecca190ce5307cee4b4f02062ba0fca6ae2d0fa0d5ac223c726eab31d55b822d

SHA512
bf608b77b7240a4b04a5750e4cce63c6a394f143a823344e1a8c1f57a19a28d20fb1e376548e5db8a6ff69a7cbf6dd247c2f80a1adaaba3c105f5030f23604ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\jsis.dll
Filesize
127KB

MD5
465d5265bfe5b90f821235f0e13ba5e4

SHA1
da4d81c230b3aaa1e0dc891df8650e3a777da263

SHA256
ecca190ce5307cee4b4f02062ba0fca6ae2d0fa0d5ac223c726eab31d55b822d

SHA512
bf608b77b7240a4b04a5750e4cce63c6a394f143a823344e1a8c1f57a19a28d20fb1e376548e5db8a6ff69a7cbf6dd247c2f80a1adaaba3c105f5030f23604ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\nsJSON.dll
Filesize
36KB

MD5
18662c1acb667a9db5fb9e90aa0f5dc8

SHA1
d332202bad869e5c71f30bd816940b262cf24603

SHA256
608d4aefd5c5184bc109cbd94a5d4c8883a4ae6cedf81cfc3028d2570a849a66

SHA512
751b51b24b659f97a4fe9d2d3e38e1333221521fa1fe26e217114e767a9bdd3b341079fe9ff51570ada16ec30644552823ab5437d4a7a875f04525aeaced7687

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\nsJSON.dll
Filesize
36KB

MD5
18662c1acb667a9db5fb9e90aa0f5dc8

SHA1
d332202bad869e5c71f30bd816940b262cf24603

SHA256
608d4aefd5c5184bc109cbd94a5d4c8883a4ae6cedf81cfc3028d2570a849a66

SHA512
751b51b24b659f97a4fe9d2d3e38e1333221521fa1fe26e217114e767a9bdd3b341079fe9ff51570ada16ec30644552823ab5437d4a7a875f04525aeaced7687

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\thirdparty.dll
Filesize
93KB

MD5
080eea7a54aeb7ea3d016645dec05bd6

SHA1
771e1b0fe952ace3d2af3985b0b8d06c65f4d902

SHA256
84cab1c6df2eddced4e60fc1e158b772f7b766d0faed27e33bd5f0ea69903bf4

SHA512
a097aad8861bbd40b3871409750134277ee49c7f20604ec8f80f21f3ca05ae6dd54309f528c51c2db4dae06be81f2363c43a20d882484bfe36bea044a7476937

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk9124.tmp\thirdparty.dll
Filesize
93KB

MD5
080eea7a54aeb7ea3d016645dec05bd6

SHA1
771e1b0fe952ace3d2af3985b0b8d06c65f4d902

SHA256
84cab1c6df2eddced4e60fc1e158b772f7b766d0faed27e33bd5f0ea69903bf4

SHA512
a097aad8861bbd40b3871409750134277ee49c7f20604ec8f80f21f3ca05ae6dd54309f528c51c2db4dae06be81f2363c43a20d882484bfe36bea044a7476937

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8E54.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8E54.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\RAVEndPointProtection-installer.exe
Filesize
531KB

MD5
bf2e914733bf001b448a314f31ef73eb

SHA1
046fa02e698cf85770488451bea7f41a24a76a54

SHA256
1d11b67ac273fe87ff7bb64bd907eb0031b1b2e5314bd7d0be9abd2ab20b69a0

SHA512
1d5a04588193ba7a6a9e2732ae652a2731f3bcc87870d1cdb72ace5dcf4346af03d83742ecfb45695ae14c591289af6b56fe4ba0786b0b3edf999840780e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\RAVEndPointProtection-installer.exe
Filesize
531KB

MD5
bf2e914733bf001b448a314f31ef73eb

SHA1
046fa02e698cf85770488451bea7f41a24a76a54

SHA256
1d11b67ac273fe87ff7bb64bd907eb0031b1b2e5314bd7d0be9abd2ab20b69a0

SHA512
1d5a04588193ba7a6a9e2732ae652a2731f3bcc87870d1cdb72ace5dcf4346af03d83742ecfb45695ae14c591289af6b56fe4ba0786b0b3edf999840780e0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\rsAtom.dll
Filesize
155KB

MD5
3a637d8b8f1a99b14420471e57b3ce34

SHA1
734a7876bfa0c9cbb0633707bd6fdd0691ca86da

SHA256
977934aefbdd50318cf0750cb7b49561a84c1935fcb48ba0867643cf0af64ef2

SHA512
4ec2b2ca07867a92dcc1dcfd11afdb5e6e1bd4058c3bf690c12fae2f10c7526eddf925d01e3034fdb6a0510bc484f1d2d054aefcceb2e6d0b31d5594161b5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\rsJSON.dll
Filesize
215KB

MD5
16320bb73438e5d277450d40dd828fba

SHA1
469c1245e3fca774431231345c99c1d2246e524e

SHA256
34121f4827ee00b334395f69d79a7472ec478197635a2f6a7f0c8f92d70075da

SHA512
fec02a25ad687efebcf3de37c572a6b277045e60c57c50173e2c0c0411eb7b70ceef0df89beca1c12f1ba6e16551c77a3239141a3a32c1712be739818508621d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\rsLogger.dll
Filesize
177KB

MD5
e8cd93cc3df25d39b19a660412c27ecf

SHA1
749dae830391e6d213200b9a84f82a08cfdd4a04

SHA256
15f9af3bcd444ea719b3b251c6029e4310c72cc876cbfeccd4061ce9f29bd7ec

SHA512
d2f0b55acfa0675d0e322c08e111d9d828015eeeab7003b0c94734e00534d5bbc0f2eafe6d46574776a60d8c768419219b8eea680f7b19d1453f6d7f2525d12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\rsStubLib.dll
Filesize
241KB

MD5
4c28c10943a260098f311182fe870c68

SHA1
5cfce66a91ab121c9c08045a8d32e0c0b99941f6

SHA256
0692758d02737fef97a03c11bfee4b4d33755829eb8932f3911f2232f4b9e5d1

SHA512
7778d9c58762484095ac8edc85b17ca94d5a082b31a5f82660e6d7ca4fb01e70d579475d7d1b282c61aa73275caf73ff0767d4ecbae015ccc859cf23599e25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\271e3f7d\07d63567_49c4d901\rsJSON.DLL
Filesize
216KB

MD5
cb4990912512e02c5dfefff94902d04f

SHA1
4c8702f1edfd3d9339c60554b95be48e476a9159

SHA256
738affc5900c28e70f19b75359e1f75067f7035cc4380b331597a27e57481906

SHA512
841363362d052e601b86b642a562579a42fbcc5742ed7b6ce0b6d4d7c0d0ff7fd94dd61d3e27ba50235203c0a6bb70b80f2badf1ea31255f13f8387e523fb7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\309df0fb\07d63567_49c4d901\rsLogger.DLL
Filesize
178KB

MD5
779a9c208cfbad5863b16b723f663511

SHA1
f26c95e9e4919fdd65d94dffd3064ae68a59b22e

SHA256
8bfa3fe9d9f406e6b2f3edfd49283e2a24f55986bf09ea32ed88854fc1f193e6

SHA512
d56d8e2a622bef9eb097623059eadd6d80653bc0ef4354ef60122a9b22b19688c4cedbabd63b3f5f55b5d4699b4aeae8ba893725130e3a98bfe022ce84d39b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\8cf1e81e\a4e92967_49c4d901\rsAtom.DLL
Filesize
157KB

MD5
0d81c611d4e9ca94f8179d4ae62e754a

SHA1
b8f752e9c18401a1215c47457d7940d1926345a4

SHA256
a5ff8148f56d9b080d51764c04a7bcd8302442046ce9dd8e11a4430466650035

SHA512
771e94b4b822c734948e454ff2dfb96bd59a0fa9078aef8347039657b53b2d9e1ee60ac8615aac4dfaeda3071f823823d020c48171e16dd4dd4e98dace37c3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8EF2.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\e1f0466f\00bdeaeb_77aad901\rsStubLib.dll
Filesize
241KB

MD5
4c28c10943a260098f311182fe870c68

SHA1
5cfce66a91ab121c9c08045a8d32e0c0b99941f6

SHA256
0692758d02737fef97a03c11bfee4b4d33755829eb8932f3911f2232f4b9e5d1

SHA512
7778d9c58762484095ac8edc85b17ca94d5a082b31a5f82660e6d7ca4fb01e70d579475d7d1b282c61aa73275caf73ff0767d4ecbae015ccc859cf23599e25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4976_1805393317\e0dde820-aae1-4227-b874-f06f027a8f60.tmp
Filesize
1.2MB

MD5
392512bb32fdf558041e4410bc29e4c5

SHA1
7a90dcb06f1b97fa5310fdc44bda98bb25e584c6

SHA256
c7c3c3d63489414a108eb356b8bc0a54219054251f776af8c088920c146f7f37

SHA512
3ab3359febcc3ccfd922bf66556b3e12055ed1d8ad92cca81ac60c6637b8885aaf9911c7fb09001f0fc7377949828a2ecabaff8e476b6b0dce2053ab7de7ce01

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6304_1294051371\CRX_INSTALL\img\icons\icon16.png
Filesize
700B

MD5
5774f763006cf6aa70cc18922524f993

SHA1
9b5e2adf1e3bba57fbc72a71240a584b3682fb42

SHA256
231afb7130b2e9ea943e42091b16dccb5e628649d8c55818b7fac632f5220260

SHA512
1014b66eeacab93fe3c60225febe6657296ebf11ca2e30e8598479f889b2dc91a83bc97b4b1558cb9a0f7347a883295e992676b5944da67d0edaf7732763f09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6304_1294051371\a7eeefa9-e0f4-4395-ba31-f33d378c344d.tmp
Filesize
85KB

MD5
8b95d8c640c448c10060524da8336bbb

SHA1
790543f2119483be67344f01a49332d1635de1e7

SHA256
757d9bd9555c56e3e3a19e6394cd05ea2e471f2ad8a22ef7afbb1149e138651c

SHA512
4cbb330bc19c3e34d068aca161779fc0124340749fc0079571fb58a2fe2790203b13886dbfbb55f6f463b07457db716829edad19867ad928f4af8f3031e80d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0wku0yb.exe
Filesize
1.2MB

MD5
d85801104883e472e4828f2c9c910fdd

SHA1
8aa3310fc958726de37224f152ca5f051f0d14aa

SHA256
8cbe1b91ce6f73a1eb7b5c0443ee0f974ee142765f1b6779804367f4dea45096

SHA512
a0bd65984befc1ed2c520d95c5b1ca8b2cda33f86ed31c22526db2c0b40275cecfb1d92a97c8a093b31bd61369ecc61202452ebe3bda0c86cd2cadb3ec5bcf6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AVG Secure Browser.lnk
Filesize
2KB

MD5
3de7d5d3de0e98c0a54ffd62a0424677

SHA1
7c6076b989706c7243cb2688e50174ff8435aab0

SHA256
1cf065bf3922481e7656e1b550f0265298acd6f0454cff5610676bf82fd3c1cb

SHA512
e93ae3619dca5c64e209cb2cd6b19403cd860629b07b949814f52165ce0682ee9bffd9c56c2872b537f026279482405cf30a811cb360728d288d37938661e064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
12KB

MD5
f266e36a101a64dbe14bde31472ac66e

SHA1
7c7657074314d702d28c55fac7233c189b50388b

SHA256
29500bd31c5f9eb149f3168a77b3f8f3201ace7cf46bb99000eb66c4ee58fb45

SHA512
58fee049d6941d7d2a186a23e3e3757803c571812d286473837930797ebd2014c4403a01a66ff1b00afc4adfd9686c7da4056cfe0aa0af1d891ce348bfcd6e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
15KB

MD5
7265b9b72b65e2191d5e40a29780e275

SHA1
585c86b51effe933d1578ec4157a4a691f3fac0c

SHA256
23caf213ac8fab12bfca465701d1c5acdf0efac9d6433dd7abcf46028adb529c

SHA512
17521c07524aa561a2bacf32f8d18ab8ce656580b2e3eac1f7a7704b3ecba62dc8eb84f8ed339afae40669945c67eae3b336d387ed26a9159acd41bbba97f0e2

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS\Network\Network Persistent State
Filesize
507B

MD5
261bf038137a8d4462e0c4907b81ab08

SHA1
a06025cf9ed0f72381b48f4b62b7ab3cdc04cc89

SHA256
068b9dec321d2c276806a13631d7bb5f3dfa1fefc5ffae3735506c1185aa9b49

SHA512
f345ccf104423b23eb55c739172ebf803c7d7eef2cdb4b948e93b497dfc9f89fe236cc8985ff8543fe8ce41ba44e2e03846e1879ca0215473a304559d08063e5

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\main_5.14.5\Network\Network Persistent State
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\main_5.14.5\Network\Network Persistent State
Filesize
311B

MD5
dad9e75fe8a11e8ded550b0c5e1a433b

SHA1
7a869caf5d225c053fc25971ccf258f3823d0e2f

SHA256
8ce111c0777333d32090fc3b321c04ce550f29fec41dfca539ff1b35c0151c2b

SHA512
9c1ae94f6bb856a30cae89814519bbe99bb7175dd7fc1d3d796b4eafd611ce96397d1129d47afb774441cd0d3da1895056b0943468a9fb405053e7174112c2b9

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\Network\Network Persistent State
Filesize
482B

MD5
0b8f33950afe325e7b2bc3d82f443aeb

SHA1
ae540f10e88a5e47d2d73c758d32d2b61e7d3fc0

SHA256
d4f05911f71eef063179e08f84b90d449ac808b778850c1976567cb80280a178

SHA512
5c45e81b917bc50b29e8c133ceacedd5e01dfbeac5b358c67e8904ecab5a0ef18d349a1efa006d6a51760e02f2f6c508b91fd4008f4c716f2e88db075616e444

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\a64b758a-c196-400a-b09a-eeee8b2a21e8.tmp
Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Code Cache\js\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Network\Network Persistent State
Filesize
507B

MD5
588e4329d01474cd652a0b1b2a0d58b7

SHA1
ebee8607a343db545f90995de68d194870cc3586

SHA256
831de90b6c733e12b135dcb9a6ee511d23b4503834d0a252a01d4405a93bed7a

SHA512
066465c17242df4019483bc0946e5c5db3ce49d7cf5a7b6ed3f341d4c5c34a1ba1480d66a0b291500af0504218f179235226d7ab3a3d11dd1773c500dc934c39

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.5.0\Network\Network Persistent State
Filesize
597B

MD5
75a83b6a7de70b461ec11addfc8838d0

SHA1
f9c45557c02d26e9e2dec71500b5a8ce4fe9a4ba

SHA256
a2a50fa0b90ffaf60ec53f327dde849889c62b1214a1256b0e9b4bd0f6019186

SHA512
00d2d7736b0aab8ad25611a59c8ee31a422edc8f696abe0646ef8e321f6f5a21d9053d90143ff0bbfb51b0e1508d6019da720080519db777e7f06643d3eb88c3

Download Submit
C:\Users\Admin\Downloads\Precision Targeting GUI - Linkvertise Downloader.zip
Filesize
11.6MB

MD5
1b907b0b4893b823554616262b4c44d3

SHA1
2c21784ae28cb6ad6dd00069d973c1b7540fad9d

SHA256
e6fda7fcb3b0dd51c8de4eab9de1e5830e41bc6a5a604c4ed0675b16e5dd8534

SHA512
bed69f33e811c6f5681410cae718552a8264a1d46fe12f86223c08e7c06315e6cde1d44b997899a1647ab3fb3eb3221de1a795279f75bb86be031c072aaa5b76

Download Submit
C:\Windows\Installer\e637e90.msi
Filesize
32KB

MD5
56eca6288e18d063cdc420c413a3167d

SHA1
1abccbf08de75e8c8175bd83180986a1fca7dce5

SHA256
900e63d84683ff83c182b0fb52cb22ac3456b18ddf0f5d25ce9cccea12b89ccb

SHA512
33aec59d39e31f263799785863aded6ebcb3b56d90b0b2e9b018dd072d6f700491e628ed4981b107f7a9f1982ea74ac56a6f0cd596df658cd204cc4b5ec882a2

Download Submit
C:\Windows\System32\drivers\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Windows\Temp\TmpD81F.tmp
Filesize
199KB

MD5
69e0d0f2c668b6f0417fd87296ccfcc1

SHA1
2ceedca25f3b62756adf7038edfb6c22dae955af

SHA256
c40088527fddf75c90653f19a7b4911689eb4d1014dc3f7d35505b2a7825bbb1

SHA512
5a0afc2eee8a1f844d9791f8b6d74b9603d3465804132a71ad9620124ffd6961179207b318a16bd01fae4c2730712c63977b0fd9bae90be1d1a9a65215769ecb

Download Submit
C:\Windows\Temp\TmpDA34.tmp
Filesize
2.5MB

MD5
5aa023c5c911f6e31c1bb1e7b9d1c845

SHA1
13c575f045842191b5566c6fb384b741cb88d6db

SHA256
a5ba5dcc1756a9cc08e1a5ed232d2f8d3290e9869c7e7dc31739ce2288f685c1

SHA512
d55354ff2cbf14461ef497de758e63d6f7cf59ae1dd0a02414952f20580e46542ce0f6ef44e0f8dc749a849699e94f70aa8245dbb24a95c83e89f62ecaf59348

Download Submit
C:\Windows\Temp\TmpDDCE.tmp
Filesize
21KB

MD5
7c6050ed3091fbf73dc520598a88f72b

SHA1
32c573b47d024c8186289cd36fd940fd367b3b9f

SHA256
710c11759537d34a335318930e9f246817ee92d6d7244c2ea09c80917e17e20f

SHA512
0c88c8d41df9d9f37d83c299528e7bf8319786ffa467e3c775052532caec746023a9a4061b30ac1237af3fd31ac0953f807a0a47293e099a65da48f58899789f

Download Submit
C:\Windows\Temp\TmpE021.tmp
Filesize
24KB

MD5
2aecb9ba77507f8b99ecc9da86be49bb

SHA1
f10ff14a1ea27fdc5d4920a02e778e466ee4d943

SHA256
ddcb29fd751a6b2108518902bb68439ab3477a210c984ee04a90e526c2bb9d83

SHA512
f5e2db78cecdf9c0e9e3ab930fb5bd323ab116e67fc2ec11b6a25d1a1b2d3fdbfb6812bd4fcb1235c32e545ecb56a4b4c2a8e2672573e80dbeb234ac5cc4e8f6

Download Submit
C:\Windows\Temp\TmpE15B.tmp
Filesize
25KB

MD5
2b86117354b6ca2737611bc40938d302

SHA1
a8778aabefe0bcabfc5dd5f20ee9128d549adad9

SHA256
db60bbf0bb83478f4c64ebd1edf7af4e8b4e9a322dd11f8ba6dee74fea71e20b

SHA512
5b92ca620ccdc1cbec09753bee777a830f0dfd40f3b3ab009dadedb3fd535fd18a5106b122ef1532f2a04b936c38530702870bc75b43a192432ed05dc25e0cc9

Download Submit
C:\Windows\Temp\TmpE2F2.tmp
Filesize
25KB

MD5
37fb797ec6ab384010f3b408b2085811

SHA1
ee54465c119c00c2f7ecdca10c207613d69168cd

SHA256
7bbdeca6a282f19813f100bbf7d411b45b1472684f58bb7e140f295b31469d34

SHA512
58646952c04c4eafaa331d01a30e503dc693e252f4ea000d5e49c8605f7e0f92bc28359747fc495e5eee4c0f2d6dd2110935e783261ac9a094bf33d2bdfdb893

Download Submit
C:\Windows\Temp\TmpE3BE.tmp
Filesize
300KB

MD5
64b4b0393fb11bc3ffef8915eb21858f

SHA1
2f7bc18e665f97eeb7f525c1589e68f5a8504f71

SHA256
0004f2d5340532dbb413c5bcefc6115a8411eba37eb227fb4f11320df39d1694

SHA512
6559aa30f1431c9e9c87035ab017ae91dd0a9b955a9ba2fca4cb0fabedbb228a71e9e7266c40e4ccc185c80dc1b7b6458715ed7795a34a05275dfb5554be3e43

Download Submit
C:\Windows\Temp\TmpE48A.tmp
Filesize
25KB

MD5
a496442191073c65bade74baae9f43bd

SHA1
646144257212082254f0750b25122c8acac63f84

SHA256
73d36499d2ddc7a2521abf9594448aa21064667f252cfbe3ba0428fb84df6f08

SHA512
8645eaa07d9774aff1880bd2f4398dd28e9b138fc5e44a70d49a529babf2b9020bb7be109a78d42cb90629734ef67681b37ea7f049958165a86160c15cacd137

Download Submit
C:\Windows\Temp\TmpE5A4.tmp
Filesize
29KB

MD5
cd300e953982f868315638ab0ef1d70a

SHA1
dc02fe9d130cf34eb58c734535f84635fc4e4bc9

SHA256
c5e412eec17f36e27218e26e90e39d9e37edef5e122af8684042892e060d7ee7

SHA512
e128975a973870ecf4b17ecd9685de498e0d27a6e22a483888da24553da002411ea13b3a1e5a59b5ad79cc381ccd0541a78d1bc2a2fb60bcfa1b7852dc7e75b5

Download Submit
C:\Windows\Temp\TmpE6CE.tmp
Filesize
20KB

MD5
c88b4b41a3aad7098468b93625c296d2

SHA1
e961627e19c64b5fd94558a96454fabd9d7ae9e5

SHA256
51217aa0d765c70f9f967e19dd4433ef0734273b9a39830a89648f303bcc1f14

SHA512
64a5901b89e85f2a726158c3bba623785a8231910d57ace6d0f6974621c8e098173047cba4d3118f86c437ca42cb2f89430d986ccb0449bd309d5b2d740303be

Download Submit
C:\Windows\Temp\TmpE7D9.tmp
Filesize
341KB

MD5
9681733da295fbac20ba6dd6bcf257e7

SHA1
1361f50d12dd8efc83b95aaf222f282fd117a53e

SHA256
096f3af4ac2cae762ceb101ec1ef13e45e2f013f6d964242056c8712b2946d76

SHA512
d622564bfdab916535fbeecc431f9feac74f320ebcb27e8419a262f4dd4011cc72f377d9c12112d358ed9d3eb069dc499b7fc46731216e0c6a41b7003ef70115

Download Submit
C:\Windows\Temp\TmpE895.tmp
Filesize
95KB

MD5
d07ed83fb515dfa2f5bdb294dd5e19e7

SHA1
974e799d8157d9d74513714f2696b82e3247f9df

SHA256
8b0486b87d0c6ae37d11b430d72e1b9848550de64c7f22fdf29cbf8e7d1060ad

SHA512
eda3ddf9ee2753fe6a4527af8f2a7a32a6fdf32d22136bea1f8f81515912a5d7dcdbab57cc8be32d367770d60014c0ecaddb9ee4342486b3fc85e0534b59d5e9

Download Submit
C:\Windows\Temp\TmpEA3C.tmp
Filesize
693KB

MD5
fd9d7570296ec1a7e059cc64629305cd

SHA1
e58cf6da6b91abb28504b0c8209990e5f7612220

SHA256
12e341d05484ddfd24a38b75c661a3639a0bdfb1ccbee4c13ad96ea9a04c6c14

SHA512
6f72edf644dea5ad07c93c356de63730e5bd209668e896b2634d76e74e4254a93a1635c74ee70c3353626e9d9cb0f21d74fecac4389fbfb0a1d03359ce02cd72

Download Submit
C:\Windows\Temp\TmpEB28.tmp
Filesize
25KB

MD5
6c477ae85490568dea826e0de68774ce

SHA1
9c5396c560aaa4b1e173df56e72e864247b7b8b0

SHA256
99b262700250521f773e2a1f434a5eec05f337b053fe13fe3ba59a9bcf427d44

SHA512
051f0fc249dbd6b1af753b1c8efeef919c786e542f2e68c718dc5c8375e7d369e87620cd8bd332b388ed574b6583661c33473fcba325068228885eb2d27b2dd4

Download Submit
C:\Windows\Temp\TmpEC32.tmp
Filesize
157KB

MD5
b118beb287eceaa2ff71030370d202e7

SHA1
35d56fe794274889f64cba00e6c53a921608bfc3

SHA256
babba34cc5967b0623ff235cbf12f5500351323232258f1c5b3e960ae8cf2789

SHA512
7f9d6ab5208b6f978f442a9489313a3fb63168e605502c421fd2b7483b11d7f3207674fc85d6ad01fd44fd978a76984d4997c72ae518c1fddca291fe29511b1f

Download Submit
C:\Windows\Temp\TmpED1E.tmp
Filesize
142KB

MD5
16f6cddd8e064edea4854f98bdf5d1a1

SHA1
add7e9465ae11c1254e575fe35f30c8fc7d31eb5

SHA256
02ef164709d0dc9d48211673969959e06e30edeeb1583f6987c1cb42fd413175

SHA512
35fe2ee7178acc1d53e86c86cad67bda4c08280130094180a39ae12763e291ccc9c905f97a69d14234b43c7700a2c8ed32aac0dda92c4fbebf4417ae0247503d

Download Submit
\??\pipe\LOCAL\crashpad_4976_WWSJFUHJQLRDFBLR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/420-931-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/420-948-0x000001E8E7080000-0x000001E8E7090000-memory.dmp

Filesize
64KB

Download
memory/420-690-0x000001E8E6C70000-0x000001E8E6C78000-memory.dmp

Filesize
32KB

Download
memory/420-691-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/420-694-0x000001E8E96D0000-0x000001E8E9BF8000-memory.dmp

Filesize
5.2MB

Download
memory/420-701-0x000001E8E7080000-0x000001E8E7090000-memory.dmp

Filesize
64KB

Download
memory/468-1169-0x0000029ED0F50000-0x0000029ED0FA8000-memory.dmp

Filesize
352KB

Download
memory/468-4552-0x0000029ED1440000-0x0000029ED1441000-memory.dmp

Filesize
4KB

Download
memory/468-4400-0x0000029ED1440000-0x0000029ED1478000-memory.dmp

Filesize
224KB

Download
memory/468-4413-0x0000029ED1350000-0x0000029ED1351000-memory.dmp

Filesize
4KB

Download
memory/468-899-0x0000029EB8440000-0x0000029EB8470000-memory.dmp

Filesize
192KB

Download
memory/468-4395-0x0000029EB8530000-0x0000029EB8531000-memory.dmp

Filesize
4KB

Download
memory/468-1315-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/468-1443-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

Filesize
64KB

Download
memory/468-957-0x0000029EB6C20000-0x0000029EB6C21000-memory.dmp

Filesize
4KB

Download
memory/468-4422-0x0000029ED1430000-0x0000029ED1460000-memory.dmp

Filesize
192KB

Download
memory/468-4458-0x0000029ED1330000-0x0000029ED1331000-memory.dmp

Filesize
4KB

Download
memory/468-917-0x0000029EB6C40000-0x0000029EB6C41000-memory.dmp

Filesize
4KB

Download
memory/468-916-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

Filesize
64KB

Download
memory/468-841-0x0000029EB67E0000-0x0000029EB6866000-memory.dmp

Filesize
536KB

Download
memory/468-932-0x0000029EB6C10000-0x0000029EB6C11000-memory.dmp

Filesize
4KB

Download
memory/468-842-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/468-4539-0x0000029ED14F0000-0x0000029ED151A000-memory.dmp

Filesize
168KB

Download
memory/468-954-0x0000029ED0EC0000-0x0000029ED0EEA000-memory.dmp

Filesize
168KB

Download
memory/468-4708-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

Filesize
64KB

Download
memory/468-927-0x0000029ED0E80000-0x0000029ED0EB8000-memory.dmp

Filesize
224KB

Download
memory/468-858-0x0000029EB8400000-0x0000029EB8440000-memory.dmp

Filesize
256KB

Download
memory/468-4553-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

Filesize
64KB

Download
memory/872-139-0x000001A7F7CB0000-0x000001A7F7CC0000-memory.dmp

Filesize
64KB

Download
memory/872-134-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/872-135-0x000001A7F7CB0000-0x000001A7F7CC0000-memory.dmp

Filesize
64KB

Download
memory/872-136-0x000001A7F7460000-0x000001A7F7468000-memory.dmp

Filesize
32KB

Download
memory/872-133-0x000001A7F5510000-0x000001A7F566C000-memory.dmp

Filesize
1.4MB

Download
memory/872-137-0x000001A7F7CB0000-0x000001A7F7CC0000-memory.dmp

Filesize
64KB

Download
memory/872-138-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/872-140-0x000001A7F7CB0000-0x000001A7F7CC0000-memory.dmp

Filesize
64KB

Download
memory/1616-4716-0x0000020CAF080000-0x0000020CAF090000-memory.dmp

Filesize
64KB

Download
memory/1616-4709-0x0000020C94B00000-0x0000020C94B2E000-memory.dmp

Filesize
184KB

Download
memory/1616-4782-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/1616-4747-0x0000020CAEF70000-0x0000020CAEFAC000-memory.dmp

Filesize
240KB

Download
memory/1616-4741-0x0000020C96700000-0x0000020C96712000-memory.dmp

Filesize
72KB

Download
memory/1616-4723-0x0000020C94B00000-0x0000020C94B2E000-memory.dmp

Filesize
184KB

Download
memory/1616-4717-0x0000020C96680000-0x0000020C96681000-memory.dmp

Filesize
4KB

Download
memory/1616-4715-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-635-0x0000000006530000-0x000000000653F000-memory.dmp

Filesize
60KB

Download
memory/2588-1451-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2588-914-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2588-675-0x0000000006530000-0x000000000653F000-memory.dmp

Filesize
60KB

Download
memory/2588-915-0x0000000006530000-0x000000000653F000-memory.dmp

Filesize
60KB

Download
memory/2588-674-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2588-645-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2588-646-0x0000000006530000-0x000000000653F000-memory.dmp

Filesize
60KB

Download
memory/2588-647-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2588-1577-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2588-600-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2648-4578-0x00007FF87FCB0000-0x00007FF87FCC0000-memory.dmp

Filesize
64KB

Download
memory/3068-594-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3068-644-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/3068-1640-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/5292-4469-0x00007FF87FCC0000-0x00007FF87FF89000-memory.dmp

Filesize
2.8MB

Download
memory/5292-4472-0x00007FF87FCB0000-0x00007FF87FCC0000-memory.dmp

Filesize
64KB

Download
memory/5292-4575-0x00007FF87FCC0000-0x00007FF87FF89000-memory.dmp

Filesize
2.8MB

Download
memory/5600-4818-0x0000024333960000-0x000002433397A000-memory.dmp

Filesize
104KB

Download
memory/5600-4817-0x000002434C910000-0x000002434CA8C000-memory.dmp

Filesize
1.5MB

Download
memory/5600-4819-0x00000243339D0000-0x00000243339F2000-memory.dmp

Filesize
136KB

Download
memory/5600-4816-0x0000024333470000-0x0000024333471000-memory.dmp

Filesize
4KB

Download
memory/5600-4793-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/5600-4815-0x000002434C420000-0x000002434C430000-memory.dmp

Filesize
64KB

Download
memory/5600-4809-0x000002434C5A0000-0x000002434C906000-memory.dmp

Filesize
3.4MB

Download
memory/5768-1840-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1468-0x00007FF6CBFF0000-0x00007FF6CC000000-memory.dmp

Filesize
64KB

Download
memory/5768-1574-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1575-0x00007FF6B5930000-0x00007FF6B5940000-memory.dmp

Filesize
64KB

Download
memory/5768-1576-0x00007FF6C3200000-0x00007FF6C3210000-memory.dmp

Filesize
64KB

Download
memory/5768-1607-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1621-0x00007FF668E60000-0x00007FF668E70000-memory.dmp

Filesize
64KB

Download
memory/5768-1593-0x00007FF668E60000-0x00007FF668E70000-memory.dmp

Filesize
64KB

Download
memory/5768-1596-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1618-0x00007FF6B5930000-0x00007FF6B5940000-memory.dmp

Filesize
64KB

Download
memory/5768-1639-0x00007FF6B5930000-0x00007FF6B5940000-memory.dmp

Filesize
64KB

Download
memory/5768-1623-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1570-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1653-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1650-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1633-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1713-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1547-0x00007FF6C3200000-0x00007FF6C3210000-memory.dmp

Filesize
64KB

Download
memory/5768-1484-0x00007FF6B5930000-0x00007FF6B5940000-memory.dmp

Filesize
64KB

Download
memory/5768-1544-0x00007FF668E60000-0x00007FF668E70000-memory.dmp

Filesize
64KB

Download
memory/5768-1531-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1543-0x00007FF6B5930000-0x00007FF6B5940000-memory.dmp

Filesize
64KB

Download
memory/5768-1471-0x00007FF6CBFF0000-0x00007FF6CC000000-memory.dmp

Filesize
64KB

Download
memory/5768-1470-0x00007FF6CBFF0000-0x00007FF6CC000000-memory.dmp

Filesize
64KB

Download
memory/5768-1469-0x00007FF6CBFF0000-0x00007FF6CC000000-memory.dmp

Filesize
64KB

Download
memory/5768-1688-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1760-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1447-0x00007FF6CBFF0000-0x00007FF6CC000000-memory.dmp

Filesize
64KB

Download
memory/5768-1774-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1784-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1796-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1803-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1801-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1821-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1829-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1833-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1839-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1832-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1560-0x00007FF668E60000-0x00007FF668E70000-memory.dmp

Filesize
64KB

Download
memory/5768-1698-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1788-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1752-0x00007FF681670000-0x00007FF681680000-memory.dmp

Filesize
64KB

Download
memory/5768-1757-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/5768-1778-0x00007FF6CD430000-0x00007FF6CD440000-memory.dmp

Filesize
64KB

Download
memory/6704-4871-0x0000010FABE90000-0x0000010FABE91000-memory.dmp

Filesize
4KB

Download
memory/6704-4870-0x0000010FABF20000-0x0000010FABF74000-memory.dmp

Filesize
336KB

Download
memory/6704-4864-0x0000010FAA830000-0x0000010FAA831000-memory.dmp

Filesize
4KB

Download
memory/6704-4863-0x0000010FC4900000-0x0000010FC4910000-memory.dmp

Filesize
64KB

Download
memory/6704-4857-0x00007FF8644E0000-0x00007FF864FA1000-memory.dmp

Filesize
10.8MB

Download
memory/6704-4856-0x0000010FAA2A0000-0x0000010FAA2F2000-memory.dmp

Filesize
328KB

Download