cobaltstrike | f4f642dc1f2fce61dbff0b3227c4a27c9b6c2a97017ab067a369956167e20ad7

Analysis

max time kernel
119s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.5MB
MD5

dd2a4fc0eeac88904580a2c993632b8b
SHA1

7443b346340a0d36bd16813447015f262ab53d2d
SHA256

f4f642dc1f2fce61dbff0b3227c4a27c9b6c2a97017ab067a369956167e20ad7
SHA512

127741b7b929a836bbc393a2ce5f018970616582ec444375ce900391ed3ded94459197a5d17e430e4eb89e78859605834717df7dfff686e9ad2f73ae8e6188c2
SSDEEP

786432:JTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFH:J2EXFhV0KAcNjxAItj

Score

10^/10

cobaltstrike zgrat backdoor discovery evasion persistence rat spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0007000000023606-2920.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral2/files/0x00060000000234a2-1178.dat	family_zgrat_v1
behavioral2/files/0x0006000000023490-1186.dat	family_zgrat_v1
behavioral2/memory/3968-1800-0x000001A6FD2E0000-0x000001A6FD334000-memory.dmp	family_zgrat_v1
behavioral2/memory/3968-1842-0x000001A6FE020000-0x000001A6FE246000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023542-2310.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2816	icacls.exe
1272	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023606-2920.dat	autoit_exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\opengl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcp_win.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\propsys.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-DSL1J.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-HHK4I.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\languages\is-MBFAU.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\icudtl.dat	RAVEndPointProtection-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-NA5U9.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\rsLitmus.A.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.WebSockets.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-B7ECS.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\msimg32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\Microsoft.Win32.TaskScheduler.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\rpcrt4.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\ntmarta.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\hhctrl.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\TextShaping.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\cfgmgr32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-VQR05.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\amd64\msdia140.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\DLL\iphlpapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Net.Http.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Threading.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\ucrtbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\shell32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\ole32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\ca.crt	RAVVPN-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\badassets\is-9F8M2.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\Signatures.dat	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\BouncyCastle.Crypto.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.OnDemand.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\legacy\amd64\tap0901.cat	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\legacy\i386\tap0901.cat	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\fr\Microsoft.Win32.TaskScheduler.resources.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsServiceController.dll	RAVVPN-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-HITAR.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\d3dcompiler_47.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\CLBCatQ.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dbghelp.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\VpnSDK.Private.Ras.dll	RAVVPN-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-FEI8E.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\System.Reflection.Primitives.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Primitives.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.ServiceProcess.ServiceController.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\lua53-64.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\ExplorerFrame.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\fwpuclnt.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\Uninstall.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\amd64\vcruntime140_1.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsTime.dll	RAVVPN-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-2V901.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-DBJ07.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Camera.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\gdi32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Security.Cryptography.X509Certificates.dll	RAVVPN-installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Executes dropped EXE 28 IoCs

pid	Process
3136	CheatEngine75.tmp
4388	prod0.exe
3924	CheatEngine75.exe
3996	qesj5xvq.exe
4520	CheatEngine75.tmp
2952	RAVEndPointProtection-installer.exe
2404	_setup64.tmp
3328	rsSyncSvc.exe
392	rsSyncSvc.exe
2300	Kernelmoduleunloader.exe
1756	windowsrepair.exe
3628	rsWSC.exe
4932	rsWSC.exe
2472	rsClientSvc.exe
2436	rsClientSvc.exe
3968	rsEngineSvc.exe
4828	Cheat Engine.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
1236	rsEngineSvc.exe
228	31bhjyvh.exe
628	RAVVPN-installer.exe
1436	rsVPNClientSvc.exe
4588	rsVPNClientSvc.exe
2340	rsVPNSvc.exe
3988	rsVPNSvc.exe
4904	rsHelper.exe
4020	VPN.exe
2624	rsAppUI.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4980	sc.exe
3320	sc.exe

Loads dropped DLL 19 IoCs

pid	Process
3136	CheatEngine75.tmp
3996	qesj5xvq.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
5084	cheatengine-x86_64-SSE4-AVX2.exe
228	31bhjyvh.exe
1236	rsEngineSvc.exe
628	RAVVPN-installer.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
3988	rsVPNSvc.exe
2624	rsAppUI.exe
2624	rsAppUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3540	3136	WerFault.exe	83
1444	3136	WerFault.exe	83

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsVPNSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	100	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	100	Cheat Engine 7.5 : luascript-CEVersionCheck

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
3136	CheatEngine75.tmp
4520	CheatEngine75.tmp
4520	CheatEngine75.tmp
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2952	RAVEndPointProtection-installer.exe
2436	rsClientSvc.exe
2436	rsClientSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe
1236	rsEngineSvc.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
3840	fltmc.exe
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	prod0.exe
Token: SeDebugPrivilege	2952	RAVEndPointProtection-installer.exe
Token: SeShutdownPrivilege	2952	RAVEndPointProtection-installer.exe
Token: SeCreatePagefilePrivilege	2952	RAVEndPointProtection-installer.exe
Token: SeDebugPrivilege	2952	RAVEndPointProtection-installer.exe
Token: SeSecurityPrivilege	4372	wevtutil.exe
Token: SeBackupPrivilege	4372	wevtutil.exe
Token: SeLoadDriverPrivilege	3840	fltmc.exe
Token: SeSecurityPrivilege	5036	wevtutil.exe
Token: SeBackupPrivilege	5036	wevtutil.exe
Token: SeDebugPrivilege	3628	rsWSC.exe
Token: SeDebugPrivilege	4932	rsWSC.exe
Token: SeDebugPrivilege	3968	rsEngineSvc.exe
Token: SeDebugPrivilege	3968	rsEngineSvc.exe
Token: SeDebugPrivilege	3968	rsEngineSvc.exe
Token: SeBackupPrivilege	3968	rsEngineSvc.exe
Token: SeRestorePrivilege	3968	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	3968	rsEngineSvc.exe
Token: SeDebugPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreatePagefilePrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeShutdownPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeRestorePrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeIncBasePriorityPrivilege	5084	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeDebugPrivilege	1236	rsEngineSvc.exe
Token: SeDebugPrivilege	1236	rsEngineSvc.exe
Token: SeDebugPrivilege	1236	rsEngineSvc.exe
Token: SeBackupPrivilege	1236	rsEngineSvc.exe
Token: SeRestorePrivilege	1236	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	1236	rsEngineSvc.exe
Token: SeDebugPrivilege	628	RAVVPN-installer.exe
Token: SeShutdownPrivilege	628	RAVVPN-installer.exe
Token: SeCreatePagefilePrivilege	628	RAVVPN-installer.exe
Token: SeShutdownPrivilege	1236	rsEngineSvc.exe
Token: SeCreatePagefilePrivilege	1236	rsEngineSvc.exe
Token: SeDebugPrivilege	628	RAVVPN-installer.exe
Token: SeDebugPrivilege	2340	rsVPNSvc.exe
Token: SeDebugPrivilege	2340	rsVPNSvc.exe
Token: SeDebugPrivilege	2340	rsVPNSvc.exe
Token: SeBackupPrivilege	2340	rsVPNSvc.exe
Token: SeRestorePrivilege	2340	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	2340	rsVPNSvc.exe
Token: SeDebugPrivilege	3988	rsVPNSvc.exe
Token: SeDebugPrivilege	3988	rsVPNSvc.exe
Token: SeDebugPrivilege	3988	rsVPNSvc.exe
Token: SeBackupPrivilege	3988	rsVPNSvc.exe
Token: SeRestorePrivilege	3988	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	3988	rsVPNSvc.exe
Token: SeDebugPrivilege	3988	rsVPNSvc.exe
Token: SeDebugPrivilege	3988	rsVPNSvc.exe
Token: SeBackupPrivilege	3988	rsVPNSvc.exe
Token: SeRestorePrivilege	3988	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	3988	rsVPNSvc.exe
Token: SeDebugPrivilege	4904	rsHelper.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3136	CheatEngine75.tmp
4520	CheatEngine75.tmp
5084	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3136	1488	CheatEngine75.exe	83
PID 1488 wrote to memory of 3136	1488	CheatEngine75.exe	83
PID 1488 wrote to memory of 3136	1488	CheatEngine75.exe	83
PID 3136 wrote to memory of 4388	3136	CheatEngine75.tmp	93
PID 3136 wrote to memory of 4388	3136	CheatEngine75.tmp	93
PID 3136 wrote to memory of 3924	3136	CheatEngine75.tmp	94
PID 3136 wrote to memory of 3924	3136	CheatEngine75.tmp	94
PID 3136 wrote to memory of 3924	3136	CheatEngine75.tmp	94
PID 4388 wrote to memory of 3996	4388	prod0.exe	96
PID 4388 wrote to memory of 3996	4388	prod0.exe	96
PID 4388 wrote to memory of 3996	4388	prod0.exe	96
PID 3924 wrote to memory of 4520	3924	CheatEngine75.exe	97
PID 3924 wrote to memory of 4520	3924	CheatEngine75.exe	97
PID 3924 wrote to memory of 4520	3924	CheatEngine75.exe	97
PID 4520 wrote to memory of 368	4520	CheatEngine75.tmp	98
PID 4520 wrote to memory of 368	4520	CheatEngine75.tmp	98
PID 3996 wrote to memory of 2952	3996	qesj5xvq.exe	100
PID 3996 wrote to memory of 2952	3996	qesj5xvq.exe	100
PID 368 wrote to memory of 4540	368	net.exe	101
PID 368 wrote to memory of 4540	368	net.exe	101
PID 4520 wrote to memory of 3152	4520	CheatEngine75.tmp	102
PID 4520 wrote to memory of 3152	4520	CheatEngine75.tmp	102
PID 3152 wrote to memory of 3832	3152	net.exe	104
PID 3152 wrote to memory of 3832	3152	net.exe	104
PID 4520 wrote to memory of 4980	4520	CheatEngine75.tmp	105
PID 4520 wrote to memory of 4980	4520	CheatEngine75.tmp	105
PID 4520 wrote to memory of 3320	4520	CheatEngine75.tmp	107
PID 4520 wrote to memory of 3320	4520	CheatEngine75.tmp	107
PID 4520 wrote to memory of 2404	4520	CheatEngine75.tmp	109
PID 4520 wrote to memory of 2404	4520	CheatEngine75.tmp	109
PID 4520 wrote to memory of 2816	4520	CheatEngine75.tmp	111
PID 4520 wrote to memory of 2816	4520	CheatEngine75.tmp	111
PID 2952 wrote to memory of 3328	2952	RAVEndPointProtection-installer.exe	113
PID 2952 wrote to memory of 3328	2952	RAVEndPointProtection-installer.exe	113
PID 4520 wrote to memory of 2300	4520	CheatEngine75.tmp	116
PID 4520 wrote to memory of 2300	4520	CheatEngine75.tmp	116
PID 4520 wrote to memory of 2300	4520	CheatEngine75.tmp	116
PID 4520 wrote to memory of 1756	4520	CheatEngine75.tmp	118
PID 4520 wrote to memory of 1756	4520	CheatEngine75.tmp	118
PID 4520 wrote to memory of 1756	4520	CheatEngine75.tmp	118
PID 4520 wrote to memory of 1272	4520	CheatEngine75.tmp	120
PID 4520 wrote to memory of 1272	4520	CheatEngine75.tmp	120
PID 2952 wrote to memory of 764	2952	RAVEndPointProtection-installer.exe	121
PID 2952 wrote to memory of 764	2952	RAVEndPointProtection-installer.exe	121
PID 764 wrote to memory of 4444	764	rundll32.exe	122
PID 764 wrote to memory of 4444	764	rundll32.exe	122
PID 4444 wrote to memory of 4644	4444	runonce.exe	123
PID 4444 wrote to memory of 4644	4444	runonce.exe	123
PID 2952 wrote to memory of 4372	2952	RAVEndPointProtection-installer.exe	125
PID 2952 wrote to memory of 4372	2952	RAVEndPointProtection-installer.exe	125
PID 2952 wrote to memory of 3840	2952	RAVEndPointProtection-installer.exe	127
PID 2952 wrote to memory of 3840	2952	RAVEndPointProtection-installer.exe	127
PID 2952 wrote to memory of 5036	2952	RAVEndPointProtection-installer.exe	129
PID 2952 wrote to memory of 5036	2952	RAVEndPointProtection-installer.exe	129
PID 2952 wrote to memory of 3628	2952	RAVEndPointProtection-installer.exe	131
PID 2952 wrote to memory of 3628	2952	RAVEndPointProtection-installer.exe	131
PID 2952 wrote to memory of 2472	2952	RAVEndPointProtection-installer.exe	133
PID 2952 wrote to memory of 2472	2952	RAVEndPointProtection-installer.exe	133
PID 2952 wrote to memory of 3968	2952	RAVEndPointProtection-installer.exe	136
PID 2952 wrote to memory of 3968	2952	RAVEndPointProtection-installer.exe	136
PID 3136 wrote to memory of 4828	3136	CheatEngine75.tmp	137
PID 3136 wrote to memory of 4828	3136	CheatEngine75.tmp	137
PID 3136 wrote to memory of 4828	3136	CheatEngine75.tmp	137
PID 4828 wrote to memory of 5084	4828	Cheat Engine.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\is-IE892.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IE892.tmp\CheatEngine75.tmp" /SL5="$D01D2,29019897,780800,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\prod0.exe
    "C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\prod0.exe" -ip:"dui=039411ef-276f-4c43-a7eb-647edca8ff3d&dit=20240213051323&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=039411ef-276f-4c43-a7eb-647edca8ff3d&dit=20240213051323&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=039411ef-276f-4c43-a7eb-647edca8ff3d&dit=20240213051323&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\qesj5xvq.exe
      "C:\Users\Admin\AppData\Local\Temp\qesj5xvq.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\qesj5xvq.exe" /silent
        5⤵
        Drops file in Drivers directory
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        6⤵
        Executes dropped EXE
        
        PID:3328
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:4644
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        6⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
      - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
      - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
        6⤵
        Executes dropped EXE
        
        PID:2472
      - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\31bhjyvh.exe
      "C:\Users\Admin\AppData\Local\Temp\31bhjyvh.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:228
    - - C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\RAVVPN-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\31bhjyvh.exe" /silent
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
      - C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        6⤵
        Executes dropped EXE
        
        PID:1436
      - C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\wwq5dmfk.exe
      "C:\Users\Admin\AppData\Local\Temp\wwq5dmfk.exe" /silent
      4⤵
      PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\SaferWeb-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\wwq5dmfk.exe" /silent
        5⤵
        
        PID:4300
- - C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\is-UDJRS.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UDJRS.tmp\CheatEngine75.tmp" /SL5="$600DC,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        6⤵
        
        PID:4540
    - - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        6⤵
        
        PID:3832
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        5⤵
        Launches sc.exe
        
        PID:4980
    - - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        5⤵
        Launches sc.exe
        
        PID:3320
    - - C:\Users\Admin\AppData\Local\Temp\is-FQN14.tmp\_isetup\_setup64.tmp
        
        helper 105 0x454
        5⤵
        Executes dropped EXE
        
        PID:2404
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:2816
    - - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        5⤵
        Executes dropped EXE
        
        PID:2300
    - - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        5⤵
        Executes dropped EXE
        
        PID:1756
    - - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        5⤵
        Modifies file permissions
        
        PID:1272
- - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
    "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
      "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 980
    3⤵
    - Program crash
    PID:3540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 980
    3⤵
    - Program crash
    PID:1444

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:392

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  PID:3860
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    PID:3200
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2564 --field-trial-handle=2548,i,4513259857346885646,16397780082693382305,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:2940
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3012 --field-trial-handle=2548,i,4513259857346885646,16397780082693382305,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:5272
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2620 --field-trial-handle=2548,i,4513259857346885646,16397780082693382305,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:5256
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3836 --field-trial-handle=2548,i,4513259857346885646,16397780082693382305,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3136 -ip 3136
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3136 -ip 3136
1⤵
PID:4436

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:4588

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3988
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:4020
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2624
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2208 --field-trial-handle=2212,i,8811555991877448002,3876186211600368797,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:1620
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2292 --field-trial-handle=2212,i,8811555991877448002,3876186211600368797,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:3540
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2784 --field-trial-handle=2212,i,8811555991877448002,3876186211600368797,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:2088
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3896 --field-trial-handle=2212,i,8811555991877448002,3876186211600368797,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:4876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-i386.dll

Filesize
328KB

MD5
19d52868c3e0b609dbeb68ef81f381a9

SHA1
ce365bd4cf627a3849d7277bafbf2f5f56f496dc

SHA256
b96469b310ba59d1db320a337b3a8104db232a4344a47a8e5ae72f16cc7b1ff4

SHA512
5fbd53d761695de1dd6f0afd0964b33863764c89692345cab013c0b1b6332c24dcf766028f305cc87d864d17229d7a52bf19a299ca136a799053c368f21c8926

Download Submit
C:\Program Files\Cheat Engine 7.5\allochook-x86_64.dll

Filesize
468KB

MD5
daa81711ad1f1b1f8d96dc926d502484

SHA1
7130b241e23bede2b1f812d95fdb4ed5eecadbfd

SHA256
8422be70e0ec59c962b35acf8ad80671bcc8330c9256e6e1ec5c07691388cd66

SHA512
9eaa8e04ad7359a30d5e2f9256f94c1643d4c3f3c0dff24d6cd9e31a6f88cb3b470dd98f01f8b0f57bb947adc3d45c35749ed4877c7cbbbcc181145f0c361065

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\addtonewgroup.lua

Filesize
1KB

MD5
3e20f1013fb48a67fe59bede7b8e341b

SHA1
8c8a4cb49c3b29db2c47f84aafd0416101722bfe

SHA256
96e4429192f9ab26f8bf9f9429f36b388aa69c3624781c61ea6df7e1bca9b49b

SHA512
99cf3f88c8b06da0dbe8085dee796bec7a9533990a55fbce7524a4f941b5ecf0e8ec975a4b032eb2aaabd116c0804995a75036c98a5e4058f25d78d08a11f3f2

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\alternateSpeedhack.LUA

Filesize
7KB

MD5
459b793e0dc43a993f03d8b612f67cec

SHA1
f14ae9afbe97af534a11bf98ac1cc096269f1474

SHA256
e2cbb4c2f46305bb07d84222231012fd4c800fe8e1b43e0aa1af9b6c5d111f7f

SHA512
1740068e3419d153ecbd9d1a6aada20aabe71915e7422dce1a83e616e8d2a1084922a81741591a682531e1f8146e437d8688521c7707a4909e5721768a3f956e

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\autosave.lua

Filesize
9KB

MD5
40d6bfe593194cf938e19622a3c13a5e

SHA1
761257e8ef492431cf0e04dbca396fabb25fe1ae

SHA256
c4cef60489b067c8e7abcdd5594643a27d0720b21523753dd462d53024287116

SHA512
1d1aaa9de74b0bb08cc4ceced5dbfa4c589347eac098d7ae013d5a1beaae0eeaca4d314e2591560c6df14a93dd4e9316ca317d21efadcca57d11eee72f4c6e16

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\bigendian.lua

Filesize
7KB

MD5
e76fcd2ecd5b956d4579a676aa3eea01

SHA1
49ecba5ccc531a40ad7805a126d38b44b4a36576

SHA256
0339ba0043af5c058cf3a19de9f90312d18f6bb2728f454ef403b531bd57ae42

SHA512
8443c213d4a626a358631f76a0cc4c106543ce58c94d34a96b88574b3e32ae742f28878b259a17823ca07ec521b06e32e572e7bc77e10951bc0984b07c0571c6

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_account.lua

Filesize
6KB

MD5
0b5180bd64689788ebeaa8e705a264ac

SHA1
43a5cc401ee6c4ff4a94697112b1bc1d4345fc19

SHA256
8fd38a5e6c0408ca77e0e7a0ee179b4391758ec6da94ea289e3a2cbc1ab1ec59

SHA512
cc26e2e36b93bf89aa16c744b2db60d855de616db7a67f4fb24135545104459338c3edeab42bb316b1ecb0db9e31970b1415a1bf638ea3e53ae31471330aeadb

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_comments.lua

Filesize
3KB

MD5
0d4d1b597712015ef1b0ec8adc26495f

SHA1
3584779c06619f545b47a27703aa2f47455d50de

SHA256
89c8fccc16d2aa0a3004dc1b477a5c1dcbba539769b2a4558f7c7d9b9809b133

SHA512
ae26bbb2c3f74c143a01ec3b296a26699c679d51bc68c8c7b8c460616d1a0aa065500ebca83e972a720bd7a3c5a7b63a673eaecef1391a2e717208ef8da0796f

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_fulltablelist.lua

Filesize
12KB

MD5
665bb2e55e2a13157d1dbfef05d1b905

SHA1
408fea33f574bd0fa9e4cb71958363398e0699bc

SHA256
da6ecce3db7d305813ffe80ca994663d43f1068f0fb67399a4c66d1f28684bfa

SHA512
8fe95e22680e1e802d0ceeecbbd6b098526468b8cf4d838301d2833247d94e4f3b3a4b76a68f9faaa2177b42ff2ffea2df46ef56a4a0ce501d126135ce8ee985

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_permissions.lua

Filesize
3KB

MD5
65c8d4eddfe05267a72eae3ddb2cf02a

SHA1
eef2928d355c8b669f8854da37162ba1fe32740a

SHA256
15b0c7682e5e8d2e2c2b8cb00c0c03b7dfa9439ac80c37f8e96a4f86652246f9

SHA512
1c151d5a44482362430fbc6ed4550671ad96e768942e4ec2a4c487182bed9d0326a0d40a1ac43f2c8a3de1e18e33b055ce7126d80fee9b5b7091ed83a22a41ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_processlistextention.lua

Filesize
9KB

MD5
607a7c1ab93026d94916f21779d0d645

SHA1
3d5a64b256fc44086e6e190ea0bc45b5999e1979

SHA256
ea61eea6289c2feba7b7d0cc24db5277e383102f24784e6bf7254af41829599c

SHA512
d6749e2dbe46466a1cb1c464ce3f237836ef6b572ef897c7f5c9d12f80a6c0c7a5dfea54c3499a91e14b29c8bbf0809cce433c379f9e5dc0072e436f641c59ad

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_publish.lua

Filesize
20KB

MD5
87cd08b16891e0dbe3d47bb71ca91691

SHA1
55d98338b4aa0df3566cd2e721b3d3f86a3836aa

SHA256
6bfd35aa64ab566ddb68d0675ad3b4a093649010a9c30df3a30a7f9dc2ed7702

SHA512
847becf1d3066a3e185001035b68496b91876bdeb323734782c41fc9b2bdf665bf33c728cebbe78e820654d87b1969c09b5d1faed7498538cb5f761984108614

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_querycheats.lua

Filesize
24KB

MD5
623b89f1e13c54a1f560b254317948b5

SHA1
b90e2de7a5cff0b14738f2fb4f6a3a4e1ee1a17c

SHA256
0c6e90c2525f1560acea3f4bdae056d11df1c2f675c2335594dc80bb910a1b17

SHA512
f80cd50f860a5f8d5c6d6ab7ba8691b443da91573f3f0fc8d5b82b79556c5ac02accc610870ea61a886ecb8a4491457965d082f8f41df781ded1db84f7157a3f

Download Submit
C:\Program Files\Cheat Engine 7.5\autorun\ceshare\ceshare_requests.lua

Filesize
5KB

MD5
6cf99831e2aaafb97e975eae06a705ff

SHA1
b6e71f7d3c779575598b65a6e4fb341344a3ddd2

SHA256
e9d57acb17502ac169deb37f211e472f68cd6e8a69e071d384b989fa45e9fa7f

SHA512
f6467c4c9dcab563dbb5a337c76616208d1a1058d704b222e616e5a0809a156b1a29198919f4bf0d40c55a6e972439722c02aac8a156c53572b6d7ef80986405

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook.dll

Filesize
128KB

MD5
43dac1f3ca6b48263029b348111e3255

SHA1
9e399fddc2a256292a07b5c3a16b1c8bdd8da5c1

SHA256
148f12445f11a50efbd23509139bf06a47d453e8514733b5a15868d10cc6e066

SHA512
6e77a429923b503fc08895995eb8817e36145169c2937dacc2da92b846f45101846e98191aeb4f0f2f13fff05d0836aa658f505a04208188278718166c5e3032

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d10hook64.dll

Filesize
140KB

MD5
0daf9f07847cceb0f0760bf5d770b8c1

SHA1
992cc461f67acea58a866a78b6eefb0cbcc3aaa1

SHA256
a2ac2ba27b0ed9acc3f0ea1bef9909a59169bc2eb16c979ef8e736a784bf2fa4

SHA512
b4dda28721de88a372af39d4dfba6e612ce06cc443d6a6d636334865a9f8ca555591fb36d9829b54bc0fb27f486d4f216d50f68e1c2df067439fe8ebbf203b6a

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook.dll

Filesize
137KB

MD5
42e2bf4210f8126e3d655218bd2af2e4

SHA1
78efcb9138eb0c800451cf2bcc10e92a3adf5b72

SHA256
1e30126badfffb231a605c6764dd98895208779ef440ea20015ab560263dd288

SHA512
c985988d0832ce26337f774b160ac369f2957c306a1d82fbbffe87d9062ae5f3af3c1209768cd574182669cd4495dba26b6f1388814c0724a7812218b0b8dc74

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d11hook64.dll

Filesize
146KB

MD5
0eaac872aadc457c87ee995bbf45a9c1

SHA1
5e9e9b98f40424ad5397fc73c13b882d75499d27

SHA256
6f505cc5973687bbda1c2d9ac8a635d333f57c12067c54da7453d9448ab40b8f

SHA512
164d1e6ef537d44ac4c0fd90d3c708843a74ac2e08fa2b3f0fdd4a180401210847e0f7bb8ec3056f5dc1d5a54d3239c59fb37914ce7742a4c0eb81578657d24b

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook.dll

Filesize
124KB

MD5
5f1a333671bf167730ed5f70c2c18008

SHA1
c8233bbc6178ba646252c6566789b82a3296cab5

SHA256
fd2a2b4fe4504c56347c35f24d566cc0510e81706175395d0a2ba26a013c4daf

SHA512
6986d93e680b3776eb5700143fc35d60ca9dbbdf83498f8731c673f9fd77c8699a24a4849db2a273aa991b8289e4d6c3142bbde77e11f2faf603df43e8fea105

Download Submit
C:\Program Files\Cheat Engine 7.5\ced3d9hook64.dll

Filesize
136KB

MD5
61ba5199c4e601fa6340e46bef0dff2d

SHA1
7c1a51d6d75b001ba1acde2acb0919b939b392c3

SHA256
8783f06f7b123e16042bb0af91ff196b698d3cd2aa930e3ea97cfc553d9fc0f4

SHA512
8ce180a622a5788bb66c5f3a4abfde62c858e86962f29091e9c157753088ddc826c67c51ff26567bfe2b75737897f14e6bb17ec89f52b525f6577097f1647d31

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook.dll

Filesize
119KB

MD5
2a2ebe526ace7eea5d58e416783d9087

SHA1
5dabe0f7586f351addc8afc5585ee9f70c99e6c4

SHA256
e2a7df4c380667431f4443d5e5fc43964b76c8fcb9cf4c7db921c4140b225b42

SHA512
94ed0038068abddd108f880df23422e21f9808ce04a0d14299aacc5d573521f52626c0c2752b314cda976f64de52c4d5bcac0158b37d43afb9bc345f31fdbbc0

Download Submit
C:\Program Files\Cheat Engine 7.5\d3dhook64.dll

Filesize
131KB

MD5
2af7afe35ab4825e58f43434f5ae9a0f

SHA1
b67c51cad09b236ae859a77d0807669283d6342f

SHA256
7d82694094c1bbc586e554fa87a4b1ed6ebc9eb14902fd429824dcd501339722

SHA512
23b7c6db0cb9c918ad9f28fa0e4e683c7e2495e89a136b75b7e1be6380591da61b6fb4f7248191f28fd3d80c4a391744a96434b4ab96b9531b5ebb0ec970b9d0

Download Submit
C:\Program Files\Cheat Engine 7.5\is-TRCPI.tmp

Filesize
2.1MB

MD5
4f50bcbc0244c2f0ce616c9f66d549a4

SHA1
03f4c17d275321e10058b3a62d6a8eb2c7cc5ac7

SHA256
973e5496c5fd2de6980a71a2c7680ed72bdd6bb2e044c03eeeb1d6fdf313feac

SHA512
5bbaf98665d816f76e11b1ac2b9b464d05dcd5d59707f6ebc4a262b16b9aed6069092656797ecb3048b979929e42bde1745bd6d07ff1d40701b6de6ca1a3e20d

Download Submit
C:\Program Files\Cheat Engine 7.5\languages\language.ini

Filesize
283B

MD5
af5ed8f4fe5370516403ae39200f5a4f

SHA1
9299e9998a0605182683a58a5a6ab01a9b9bc037

SHA256
4aa4f0b75548d45c81d8e876e2db1c74bddfd64091f102706d729b50a7af53a5

SHA512
f070049a2fae3223861424e7fe79cbae6601c9bee6a56fadde4485ad3c597dc1f3687e720177ab28564a1faab52b6679e9315f74327d02aa1fb31e7b8233a80f

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-32.dll

Filesize
157KB

MD5
df443813546abcef7f33dd9fc0c6070a

SHA1
635d2d453d48382824e44dd1e59d5c54d735ee2c

SHA256
d14911c838620251f7f64c190b04bb8f4e762318cc763d993c9179376228d8ca

SHA512
9f9bea9112d9db9bcecfc8e4800b7e8032efb240cbbddaf26c133b4ce12d27b47dc4e90bc339c561714bc972f6e809b2ec9c9e1facc6c223fbac66b089a14c25

Download Submit
C:\Program Files\Cheat Engine 7.5\libipt-64.dll

Filesize
182KB

MD5
4a3b7c52ef32d936e3167efc1e920ae6

SHA1
d5d8daa7a272547419132ddb6e666f7559dbac04

SHA256
26ede848dba071eb76c0c0ef8e9d8ad1c53dfab47ca9137abc9d683032f06ebb

SHA512
36d7f8a0a749de049a830cc8c8f0d3962d8dce57b445f5f3c771a86dd11aaa10da5f36f95e55d3dc90900e4dbddd0dcc21052c53aa11f939db691362c42e5312

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-i386.dll

Filesize
197KB

MD5
9f50134c8be9af59f371f607a6daa0b6

SHA1
6584b98172cbc4916a7e5ca8d5788493f85f24a7

SHA256
dd07117ed80546f23d37f8023e992de560a1f55a76d1eb6dfd9d55baa5e3dad6

SHA512
5ccafa2b0e2d20034168ee9a79e8efff64f12f5247f6772815ef4cb9ee56f245a06b088247222c5a3789ae2dcefadbc2c15df4ff5196028857f92b9992b094e0

Download Submit
C:\Program Files\Cheat Engine 7.5\luaclient-x86_64.dll

Filesize
260KB

MD5
dd71848b5bbd150e22e84238cf985af0

SHA1
35c7aa128d47710cfdb15bb6809a20dbd0f916d8

SHA256
253d18d0d835f482e6abbaf716855580eb8fe789292c937301e4d60ead29531d

SHA512
0cbf35c9d7b09fb57d8a9079eab726a3891393f12aee8b43e01d1d979509e755b74c0fb677f8f2dfab6b2e34a141f65d0cfbfe57bda0bf7482841ad31ace7790

Download Submit
C:\Program Files\Cheat Engine 7.5\overlay.fx

Filesize
2KB

MD5
650c02fc9f949d14d62e32dd7a894f5e

SHA1
fa5399b01aadd9f1a4a5632f8632711c186ec0de

SHA256
c4d23db8effb359b4aa4d1e1e480486fe3a4586ce8243397a94250627ba4f8cc

SHA512
f2caaf604c271283fc7af3aa9674b9d647c4ac53dffca031dbf1220d3ed2e867943f5409a95f41c61d716879bed7c888735f43a068f1cc1452b4196d611cb76d

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll

Filesize
200KB

MD5
6e00495955d4efaac2e1602eb47033ee

SHA1
95c2998d35adcf2814ec7c056bfbe0a0eb6a100c

SHA256
5e24a5fe17ec001cab7118328a4bff0f2577bd057206c6c886c3b7fb98e0d6d9

SHA512
2004d1def322b6dd7b129fe4fa7bbe5d42ab280b2e9e81de806f54313a7ed7231f71b62b6138ac767288fee796092f3397e5390e858e06e55a69b0d00f18b866

Download Submit
C:\Program Files\Cheat Engine 7.5\speedhack-x86_64.dll

Filesize
256KB

MD5
19b2050b660a4f9fcb71c93853f2e79c

SHA1
5ffa886fa019fcd20008e8820a0939c09a62407a

SHA256
5421b570fbc1165d7794c08279e311672dc4f42cb7ae1cbddcd7eea0b1136fff

SHA512
a93e47387ab0d327b71c3045b3964c7586d0e03dddb2e692f6671fb99659e829591d5f23ce7a95683d82d239ba7d11fb5a123834629a53de5ce5dba6aa714a9a

Download Submit
C:\Program Files\Cheat Engine 7.5\unins000.exe

Filesize
2.0MB

MD5
d6d46aff94933a61629a6d653efc8168

SHA1
a6ec75cc53697b113dc1501f2c5ee33950833fb6

SHA256
c512216c13b8bdacdc42d9cda39c53f54f03333f72505debd038237f3e73c322

SHA512
f98b7579dd3187161ea27cd7bca2e40f5699cdb426fb413d96fb8b3b029f134c744c3565087c0860712cb225ae2f61c18442c9d78d2701c2caeaa7ac1dc7ecc7

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-i386.dll

Filesize
324KB

MD5
e9b5905d495a88adbc12c811785e72ec

SHA1
ca0546646986aab770c7cf2e723c736777802880

SHA256
3eb9cd27035d4193e32e271778643f3acb2ba73341d87fd8bb18d99af3dffdea

SHA512
4124180b118149c25f8ea8dbbb2912b4bd56b43f695bf0ff9c6ccc95ade388f1be7d440a791d49e4d5c9c350ea113cf65f839a3c47d705533716acc53dd038f8

Download Submit
C:\Program Files\Cheat Engine 7.5\vehdebug-x86_64.dll

Filesize
413KB

MD5
8d487547f1664995e8c47ec2ca6d71fe

SHA1
d29255653ae831f298a54c6fa142fb64e984e802

SHA256
f50baf9dc3cd6b925758077ec85708db2712999b9027cc632f57d1e6c588df21

SHA512
79c230cfe8907df9da92607a2c1ace0523a36c3a13296cb0265329208edc453e293d7fbedbd5410decf81d20a7fe361fdebddadbc1dc63c96130b0bedf5b1d8a

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-i386.dll

Filesize
201KB

MD5
de625af5cf4822db08035cc897f0b9f2

SHA1
4440b060c1fa070eb5d61ea9aadda11e4120d325

SHA256
3cdb85ee83ef12802efdfc9314e863d4696be70530b31e7958c185fc4d6a9b38

SHA512
19b22f43441e8bc72507be850a8154321c20b7351669d15af726145c0d34805c7df58f9dc64a29272a4811268308e503e9840f06e51ccdcb33afd61258339099

Download Submit
C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll

Filesize
264KB

MD5
f9c562b838a3c0620fb6ee46b20b554c

SHA1
5095f54be57622730698b5c92c61b124dfb3b944

SHA256
e08b035d0a894d8bea64e67b1ed0bce27567d417eaaa133e8b231f8a939e581d

SHA512
a20bc9a442c698c264fef82aa743d9f3873227d7d55cb908e282fa1f5dcff6b40c5b9ca7802576ef2f5a753fd1c534e9be69464b29af8efec8b019814b875296

Download Submit
C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

Filesize
640KB

MD5
e74ca11d393d0e1ccb587003078cb217

SHA1
78e658e086a56581786415571fdbb0e3696265f5

SHA256
5d857f19b539863e5f1a50186daea7804746d3387934fb200f071f7d92fac092

SHA512
bf629f4f5dd46386b1fe654b70fcbc3d378a50a1f6fc85534a3c1ec0cbdad84de88428fde5aacbcb29e754d249e24f951d751bf1ded24224f4e33327fe830518

Download Submit
C:\Program Files\ReasonLabs\DNS\Uninstall.exe

Filesize
1.4MB

MD5
9fc21583e31dc32777c7b6a204bd6bd3

SHA1
80092d72425bc19dd99208ec8449c445adaa046e

SHA256
d437513d29b58d91cd5a09e65f73073545ba5f310081e9cabf089e82d17bdbbc

SHA512
8a3483d473ae81c9b31f43ed03cd5be7172f66e45cea6ad433def8e13f7bc19f70c322e17f45ce3ca3b45c4629cafd3dc099333924abfd59137df46421063885

Download Submit
C:\Program Files\ReasonLabs\DNS\uninstall.ico

Filesize
109KB

MD5
beae67e827c1c0edaa3c93af485bfcc5

SHA1
ccbbfabb2018cd3fa43ad03927bfb96c47536df1

SHA256
d47b3ddddc6aadd7d31c63f41c7a91c91e66cbeae4c02dac60a8e991112d70c5

SHA512
29b8d46c6f0c8ddb20cb90e0d7bd2f1a9d9970db9d9594f32b9997de708b0b1ae749ce043e73c77315e8801fd9ea239596e6b891ef4555535bac3fe00df04b92

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
309KB

MD5
e360f2973b6a8f3534c0016c9a0c36f0

SHA1
49313dace41a4eac029b2b10998fb7f67779181a

SHA256
67c69319090536acac57351f1db266783847f2653486fb79d221f049dcd1e9fa

SHA512
d0be3a3bea3cd9a4140f542ebc887ae75f588fdbcf46a47eced6b0cbaf820be36b245c49832dae952d06b6c80026f66ec516821e0c76e4bca325e9b53b203312

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
d1aa02859d45aeb5f4ed3312fd283cd3

SHA1
36814746c776ac8feb36b30ae0428034431500d3

SHA256
0db1398d6a90977edff86e0ce3ccd974cfb58b647fff676a24b469dfa29195ce

SHA512
d5e45a316a33a0f84605af40d00c211f69bf224e292fb380164e1c98555441a4d18fe749d8f6e0c46ca0222c29e3ff673695bc9bd15292e06aabfc19a81d6418

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
326KB

MD5
729c2a5b690b373491094d286baac791

SHA1
7420988e65ce2fd3a8e4484af7ad3d7d02dd5294

SHA256
9fe417e153432015008b4b677f20a588d142be71dfe1572c101ccf74be1d3412

SHA512
1a4e4be052a16d6165e885aaf592da3c79c5b67d34440338bb60b56e60e8eb01e4a2ca25c28745cbc0b166bd14201dd36b1e11c38ce73ef0868d7a20139db80f

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
5KB

MD5
d3144b8102bf63cd3d5e4a50e1f8d17c

SHA1
ecbc7cf123ac1519cc64524c7ed748e1cc3bcab9

SHA256
090421d82b7dc75f39cd8cd009908e13dda469f20c33c19b403ab2ccfe39effa

SHA512
f0eb01558481d58b2cb07921c2033e40198b499b412d6238a222b648e367b85e832d1ff9247f661b32703a3b5b6b3198ee53d83f384d37ac319d9bf187c666be

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
a5503a406dba69cb7552bb8be4c8b345

SHA1
0e7c44b536705f036be4585653a148bdb3b3eece

SHA256
03f428eaf3464bbd991be4bae4f22ac6c396ff6e92e78c574a1f8b0daddc2f7e

SHA512
45e1318ceeae561ba0fff402b1822ed2e1af2177f6afeddd8073c2e5721846195efa5ddb610f51dc5e8823073720a3003b75ad770759764af9ab1127ed3cca7f

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

Filesize
279KB

MD5
babb847fc7125748264243a0a5dd9158

SHA1
78430deab4dfd87b398d549baf8e94e8e0dd734e

SHA256
bd331dd781d8aed921b0be562ddec309400f0f4731d0fd0b0e8c33b0584650cd

SHA512
2a452da179298555c6f661cb0446a3ec2357a99281acae6f1dbe0cc883da0c2f4b1157affb31c12ec4f6f476075f3cac975ec6e3a29af46d2e9f4afbd09c8755

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

Filesize
325KB

MD5
96cbdd0c761ad32e9d5822743665fe27

SHA1
c0a914d4aa6729fb8206220f84695d2f8f3a82ce

SHA256
cc3f60b37fec578938ee12f11a6357c45e5a97bd3bccdeb8e5efb90b1649a50b

SHA512
4dde7e5fb64ee253e07a40aaf8cbc4ddaaeeeafc6aeb33e96bc76c8110f26e2c3809a47266cb7503cbc981c6cb895f3eaae8743d07d6434997684e8d6a3d8eb0

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config

Filesize
4KB

MD5
04be4fc4d204aaad225849c5ab422a95

SHA1
37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91

SHA256
6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446

SHA512
4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

Filesize
430KB

MD5
4d7d8dc78eed50395016b872bb421fc4

SHA1
e546044133dfdc426fd4901e80cf0dea1d1d7ab7

SHA256
b20d4193fdf0fe9df463c9573791b9b8a79056812bb1bba2db1cf00dd2df4719

SHA512
6c0991c3902645a513bdee7288ad30c34e33fca69e2f2f45c07711f7b2fdc341336d6f07652e0d9e40fbac39c35940eda0715e19ef9dfa552a46e09e23f56fdf

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
4.2MB

MD5
dbbbf82de7297f3ebd36f731e1d72cc8

SHA1
85c56f93d5afc91484ac04ab804ffaf05054fee2

SHA256
8e7d5e49ee93c50ff8baa5546b0a206e36d3d7b914bb7a3cc4d53d5bf3921869

SHA512
a5a775a7ced52d6d9187f8f2378102bb4ca2e63da5e2d195d9adfcd24933cfc49b37f9ffbebfd36d3fdbde56476141abd13745feb97da6c490e289f652b11859

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
10a8f2f82452e5aaf2484d7230ec5758

SHA1
1bf814ddace7c3915547c2085f14e361bbd91959

SHA256
97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b

SHA512
6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
550KB

MD5
afb68bc4ae0b7040878a0b0c2a5177de

SHA1
ed4cac2f19b504a8fe27ad05805dd03aa552654e

SHA256
76e6f11076cc48eb453abbdbd616c1c46f280d2b4c521c906adf12bb3129067b

SHA512
ebc4c1f2da977d359791859495f9e37b05491e47d39e88a001cb6f2b7b1836b1470b6904c026142c2b1b4fe835560017641d6810a7e8a5c89766e55dd26e8c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\31bhjyvh.exe

Filesize
1.2MB

MD5
bdd2e6d9bc9ae3ed3b44b52245304294

SHA1
bb965cac1b54740ec31a0783f1eb242de87d3dc5

SHA256
890f5d5d954f623116e174b92df982152c78ab6c19f65a67f870f31944b969e0

SHA512
fe9db866ca34a9be1f2c1cdf56f23385accbd851b966557c3f14dbbdacddabd927587cb9aa5c07f95a666d829ce299d870a813670d3190f3b4b2809b1dfdfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7394e4e-fcdd-469c-af91-2cd2924b57c8.tmp.ico

Filesize
64KB

MD5
7c0f609de7f35f8481bafa2bb723250b

SHA1
78800f5213c88e166d694fb824ba85d61fb724c6

SHA256
2a06c80d0559804c1359c490dfca638dda2b4cc6d7b98a3833ce3e6e7b8d4887

SHA512
f13e202056cb4e95f5d7b8810d8e59f90f27b787fdc648ce6e9485bd50dd9bdfe55c053792d93730691469b9637634cf0e270c3ea007708edb2cce666117d9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FQN14.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IE892.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
d9bfd411b133d66741d4bb40609b6ed0

SHA1
c5b89ffeabf964658efa335826735f48148561e3

SHA256
13ba38cabdcaa761b7449d86443d3cd60f755a00c4cd13d945c88b6c2914100c

SHA512
3f4bf6c41585a95c206d8318f5014a9335e1f8fffb021399c303586c787d1c08439578eebc10b6014a8c186cb7fee89594a04a19a3ca650f164012b8928a779e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\CheatEngine75.exe

Filesize
9.2MB

MD5
e9a8201663e0f2a567309a061bf2fea8

SHA1
25d4f01d9d4308c572c589faed436b2dbc070b8e

SHA256
5ab9b5d4b74ffc60405a69868cead9b7cdc5e280d8fd4d1dc4be4387b991d05e

SHA512
7e3dad126bc3e038bb063a54c1e9e3a507956ef1de274bb005cc21f7e7e72be611d76ad8bed3023c24095de866189c2f4fe11b07ada8d1f4ec980de7f66899a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\CheatEngine75.exe

Filesize
1.8MB

MD5
250a78f181339fcc26d9276850fb9340

SHA1
5fc68c5a0d1afebaeb05e01ca61904a91f372fba

SHA256
d18c42ee541dafb5fb1395fb753e0eb3c4eb238f652ff399388c831aaa4e9ef4

SHA512
aa5ae58216f96e5fdec96c283100f0af5d1b8d3f898a958b35ff5e812421f95d12a2f65a75763a8d8b9ef9fd19de5f0d9aee6dde3526e396c72e2c6503e13a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\prod0.exe

Filesize
44KB

MD5
bdbb2f44f02ee6a5b58df8973a410acb

SHA1
b868dfb98ecc948f1a4eb8b96dd2871235d6cdba

SHA256
d7861cfc523f6dfc734d6ea04d58d6cc509990485da3e9f4e1583e16aad3cd06

SHA512
96e6b7ea7f50aa25f1ff7d3668772f7bbf55cd18a1ff352796dba3196bac2dd3d9c61bdcce6daa3ca7022212e17a3feee1c7d5292e87b62df3e0052c535b8c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OSK6T.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDJRS.tmp\CheatEngine75.tmp

Filesize
2.3MB

MD5
4330a002107be25e5e8b54a6ebe2fb05

SHA1
d48b94b66db332fb300b4e4c3d6f3c510813854b

SHA256
4fe8d3f7196d72f6700716403d6feb203fed2f5e549a528839717ce5bc012406

SHA512
a037a2e4fbb1132333d1106106acca9b5feec62ab72b1de5f5545235aabdb0023f9f12434732b5abbfa072c6861e50b38882164d8193b3193c6a8396c035c8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UDJRS.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\9088b013\f9ade190_3b5eda01\rsLogger.DLL

Filesize
179KB

MD5
148dc2ce0edbf59f10ca54ef105354c3

SHA1
153457a9247c98a50d08ca89fad177090249d358

SHA256
efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4

SHA512
10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\a2a68f83\8de8dc90_3b5eda01\rsAtom.DLL

Filesize
157KB

MD5
3ae6f007b30db9507cc775122f9fc1d7

SHA1
ada34eebb84a83964e2d484e8b447dca8214e8b7

SHA256
892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507

SHA512
5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\ae036e05\f9ade190_3b5eda01\rsJSON.DLL

Filesize
216KB

MD5
8528610b4650860d253ad1d5854597cb

SHA1
def3dc107616a2fe332cbd2bf5c8ce713e0e76a1

SHA256
727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4

SHA512
dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9F3B.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\cda25fec\f9ade190_3b5eda01\rsServiceController.DLL

Filesize
173KB

MD5
8e10c436653b3354707e3e1d8f1d3ca0

SHA1
25027e364ff242cf39de1d93fad86967b9fe55d8

SHA256
2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53

SHA512
9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EB.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\RAVEndPointProtection-installer.exe

Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\rsSyncSvc.exe

Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\0b345d16\992dc77e_3b5eda01\rsAtom.DLL

Filesize
158KB

MD5
90f62cddf97c26d40157e7a25ff9b052

SHA1
9da07cab966f1e1270afa2b70964134e9249de2b

SHA256
160512ccfedd208357766c22b63a3d16bca35ec3c1215aa2fb47a627f090a09e

SHA512
55f8a63685cb047f0fe7c2d95ce5473440dbd46ff537159983dbde71a4d96b00deb6b23b6a7133ada4e81050e716a0c8a1bacb53421a88806513072731923bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\270d22a2\0f53ce7e_3b5eda01\rsLogger.DLL

Filesize
180KB

MD5
4a0357118ffba681a355425ad338cf50

SHA1
025a4d3d1960a1a11950a295801ea693353fa045

SHA256
ccbd3cee59343d2db2636388443fd194318d16ef6862d721fedb3a368b61048d

SHA512
62e2d97a0ac0200e8e9ea53fb6db612705fc6ca3ae7c1b9ecb3499f2bbc3804ff39a17e0e714ff9ce16b3e1ed21e34e54c862a3234408688bb405375739617c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\5de770ee\0f53ce7e_3b5eda01\rsServiceController.DLL

Filesize
174KB

MD5
70896f84726df550ea1ed6851ba2e810

SHA1
b61fe47c2636535841ec1ab3553361bba44ed0dc

SHA256
aa2f02fcd99afdea79463bd693cdacc000c6e0d8d1a03ab5a9adf8f6fd81e806

SHA512
8526737969a5fb940e4268e3cd7d70ad941af9733e47c7415078c19f9b800d3c4711c49c97fa30fe3c33ecd9c60e7f726bf788fd21c72d9bb4060071276b6d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\f1205de1\0f53ce7e_3b5eda01\rsJSON.DLL

Filesize
219KB

MD5
63671688346704146c5b6766d9749c2e

SHA1
b3afbccd8395ec61d8655e6d28914a989945d4f9

SHA256
8a3c5baa82d8b983781ba74efc4c2614655c6a954fd2f3ee491047f992ee616e

SHA512
cb4ab2ee0325fec1f283d28424dc069dae027143ea292d8c463262a052832aa177e9dad7f310294a4aed784f9a1085fd1cc9cd63c3394b317f9d9148081dff97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE0EC.tmp\uninstall.ico

Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\System.Data.SQLite.dll

Filesize
362KB

MD5
42e6e9081edd7a49c4103292725b68e2

SHA1
62f73c44ee1aba1f7684b684108fe3b0332e6e66

SHA256
788450452b0459c83e13da4dd32f6217bfb53a83bd5f04b539000b61d24fd049

SHA512
99eab89bf6297fda549c0b882c097cd4b59fd0595ff2d0c40d1767f66fa45172ca5b9693dbf650d7103353f1e1fb8e5259bbcde3dfa286dee098533a4a776e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\System.ValueTuple.dll

Filesize
73KB

MD5
29e6ae1a1af7fc943752a097ec59c59c

SHA1
6d5c910c0b9a3e0876e2e2bbbce9b663f9edc436

SHA256
cc9bf1feeab1d76221508d6cc98e8bdc1603d5c600c5ed09c108e31b8bd3a6a2

SHA512
cc6d55e5fd23c89d73ecbddfa92c102f47f8fb93f2f6a41d2e79708e6a8d7c13c1961dcd07810db3135d2f8ddcbf3535fb3ea3d1fc31c617ca9b10f6b867f9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\rsDatabase.dll

Filesize
166KB

MD5
d9cd9c6486fa53d41949420d429c59f4

SHA1
784ac204d01b442eae48d732e2f8c901346bc310

SHA256
c82540979384cdcadf878a2bd5cbe70b79c279182e2896dbdf6999ba88a342c1

SHA512
b37e365b233727b8eb11eb0520091d2ecd631d43a5969eaeb9120ebd9bef68c224e1891dd3bac5ec51feb2aee6bec4b0736f90571b33f4af59e73ddee7d1e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\rsTime.dll

Filesize
129KB

MD5
f1e592a7636df187e89b2139922c609e

SHA1
301a6e257fefaa69e41c590785222f74fdb344f8

SHA256
13ca35c619e64a912b972eb89433087cb5b44e947b22a392972d99084f214041

SHA512
e5d79a08ea2df8d7df0ad94362fda692a9b91f6eda1e769bc20088ef3c0799aeabf7eb8bd64b4813716962175e6e178b803124dc11cc7c451b6da7f406f38815

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw530A.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\1073c889\975001b0_3b5eda01\rsJSON.DLL

Filesize
216KB

MD5
4fbf28ab8a37a488d9977b9953fdacf5

SHA1
f956b23e0072d6c0f4ddcca06248164baa8bf0aa

SHA256
0c4c1bd5ae6f069c310a8a573171759efff27ddd986f2fd9abcdec92465b1049

SHA512
de7fe21df1d6062b04a670c533ae7f85080806fe450b80dc1ab7de23ee2a7d379ebc81c0157bd3ae5c888a1429efab5166528a175e3edd355c4eaac63e8a31d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qesj5xvq.exe

Filesize
1.9MB

MD5
13325bfb229242386ad6c4cd2312a3e5

SHA1
f5a0f35fd245efdf4714d7508132524650662b4f

SHA256
fce2b18d2632e1db0e8f382a775aa7705e1ad5dd16c5eed9276e1bbd87ec7a64

SHA512
c039272b84b9ca72d8bb4b163acf0b27ced5a9a70698daf1b9dc137f033b8f08e86ac6590559ee3a8d8847b51a764a11a19a80893a6fe27046c5e904eaf87ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\ed14f240-bfd7-41bd-9e9b-ab4b46fc081e.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.24.2\383f9612-4996-4639-ad48-178e38f51e9e.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Cache\Cache_Data\data_0

Filesize
44KB

MD5
dc6185a22fde2488b95a1a98225cec30

SHA1
bd9cb6cb6b52a7ff471520aabec11fe2950f638b

SHA256
c59aac4fa33eb0233a931b26fb12be1553c1c34ef8433a114aea1c7764ac91ad

SHA512
106b3a7b625787d3e3e8635736db31bbd84c7a27babdb0ded53e526f71e57d997380575c1210f4ab0b310e3a0bf864a58aa96c992a82b0fe42dd51ede76b2a1a

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Cache\Cache_Data\data_1

Filesize
264KB

MD5
24a391f8f06d05a912edae12724b088b

SHA1
7ee4791b5b7f2e2e933d08fd6b3fa081782bad3d

SHA256
a1d14dca0e623c73a64947012623ad0fe2ab750ce034027cd419b3a5648ecce7

SHA512
0c8ad113412d83513506113fc26975dfa9c166d26b735272bb1fc9faf0722eeb44733d0cc6a1390ad501bb01799cbd96f843b19932345399ea67abd8edafed65

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_330B78668586CC1C5060B7886AA9A046

Filesize
1KB

MD5
27ee27e679acb8cb559852ae3cb8869d

SHA1
493c74092940cf47c6c7e48ecf7344e231475f52

SHA256
f97168ce1ecf383e7229b90276beae5a490903027c5f70379d9a09c9783b7ae8

SHA512
69f246d9ea50ec941e65200b728bfdd62a1624b9aa47f3fb239b0e15253fae7c2decb9d83e6b1ca6d2005eb69a6defd725d3445463101364ea6172f7d6eacef2

Download Submit
memory/1488-26-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1488-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2952-173-0x0000014C46C60000-0x0000014C46C61000-memory.dmp

Filesize
4KB

Download
memory/2952-152-0x0000014C46E00000-0x0000014C46E10000-memory.dmp

Filesize
64KB

Download
memory/2952-1211-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1213-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1215-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1217-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1219-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1221-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1223-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1225-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1227-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1229-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1231-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1233-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1237-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1235-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1684-0x0000014C60910000-0x0000014C60911000-memory.dmp

Filesize
4KB

Download
memory/2952-1686-0x0000014C60A10000-0x0000014C60A4A000-memory.dmp

Filesize
232KB

Download
memory/2952-1207-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1692-0x0000014C609D0000-0x0000014C609D1000-memory.dmp

Filesize
4KB

Download
memory/2952-1696-0x0000014C60A10000-0x0000014C60A40000-memory.dmp

Filesize
192KB

Download
memory/2952-1205-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1702-0x0000014C60920000-0x0000014C60921000-memory.dmp

Filesize
4KB

Download
memory/2952-1707-0x0000014C60AC0000-0x0000014C60AEA000-memory.dmp

Filesize
168KB

Download
memory/2952-1203-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1715-0x0000014C46E00000-0x0000014C46E10000-memory.dmp

Filesize
64KB

Download
memory/2952-1713-0x0000014C60A20000-0x0000014C60A21000-memory.dmp

Filesize
4KB

Download
memory/2952-1201-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1720-0x0000014C60BD0000-0x0000014C60BFE000-memory.dmp

Filesize
184KB

Download
memory/2952-1199-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1726-0x0000014C60A30000-0x0000014C60A31000-memory.dmp

Filesize
4KB

Download
memory/2952-1198-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-145-0x0000014C44F60000-0x0000014C44FE8000-memory.dmp

Filesize
544KB

Download
memory/2952-147-0x0000014C46CD0000-0x0000014C46D10000-memory.dmp

Filesize
256KB

Download
memory/2952-148-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/2952-151-0x0000014C46C90000-0x0000014C46CC0000-memory.dmp

Filesize
192KB

Download
memory/2952-1209-0x0000014C60980000-0x0000014C609CE000-memory.dmp

Filesize
312KB

Download
memory/2952-1195-0x0000014C60980000-0x0000014C609D0000-memory.dmp

Filesize
320KB

Download
memory/2952-154-0x0000014C46C80000-0x0000014C46C81000-memory.dmp

Filesize
4KB

Download
memory/2952-156-0x0000014C46E50000-0x0000014C46E8A000-memory.dmp

Filesize
232KB

Download
memory/2952-939-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/2952-159-0x0000014C46C50000-0x0000014C46C51000-memory.dmp

Filesize
4KB

Download
memory/2952-172-0x0000014C46DD0000-0x0000014C46DFA000-memory.dmp

Filesize
168KB

Download
memory/2952-178-0x0000014C60540000-0x0000014C60598000-memory.dmp

Filesize
352KB

Download
memory/3136-64-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-153-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-24-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-25-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-27-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3136-31-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-32-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-36-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-37-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-39-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3136-40-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3136-841-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/3136-5-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3136-149-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3136-843-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3628-1747-0x0000023421200000-0x0000023421210000-memory.dmp

Filesize
64KB

Download
memory/3628-1783-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/3628-1748-0x000002341F750000-0x000002341F751000-memory.dmp

Filesize
4KB

Download
memory/3628-1745-0x000002341F380000-0x000002341F3AE000-memory.dmp

Filesize
184KB

Download
memory/3628-1749-0x000002341F380000-0x000002341F3AE000-memory.dmp

Filesize
184KB

Download
memory/3628-1746-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/3628-1762-0x000002341F7A0000-0x000002341F7B2000-memory.dmp

Filesize
72KB

Download
memory/3628-1763-0x00000234210E0000-0x000002342111C000-memory.dmp

Filesize
240KB

Download
memory/3924-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3924-825-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3924-801-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3968-1802-0x000001A6E2D00000-0x000001A6E2D52000-memory.dmp

Filesize
328KB

Download
memory/3968-1797-0x000001A6FD3D0000-0x000001A6FD3E0000-memory.dmp

Filesize
64KB

Download
memory/3968-1794-0x000001A6E2D00000-0x000001A6E2D52000-memory.dmp

Filesize
328KB

Download
memory/3968-1795-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/3968-1796-0x000001A6E3100000-0x000001A6E3101000-memory.dmp

Filesize
4KB

Download
memory/3968-1842-0x000001A6FE020000-0x000001A6FE246000-memory.dmp

Filesize
2.1MB

Download
memory/3968-1813-0x000001A6FDA00000-0x000001A6FE018000-memory.dmp

Filesize
6.1MB

Download
memory/3968-1812-0x000001A6FD340000-0x000001A6FD372000-memory.dmp

Filesize
200KB

Download
memory/3968-1798-0x000001A6FD150000-0x000001A6FD176000-memory.dmp

Filesize
152KB

Download
memory/3968-1799-0x000001A6E3140000-0x000001A6E3141000-memory.dmp

Filesize
4KB

Download
memory/3968-1800-0x000001A6FD2E0000-0x000001A6FD334000-memory.dmp

Filesize
336KB

Download
memory/3968-1801-0x000001A6E3150000-0x000001A6E3151000-memory.dmp

Filesize
4KB

Download
memory/4388-848-0x000001D8FDA80000-0x000001D8FDA90000-memory.dmp

Filesize
64KB

Download
memory/4388-58-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/4388-57-0x000001D8FDE80000-0x000001D8FE3A8000-memory.dmp

Filesize
5.2MB

Download
memory/4388-56-0x000001D8FB410000-0x000001D8FB418000-memory.dmp

Filesize
32KB

Download
memory/4388-816-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/4388-60-0x000001D8FDA80000-0x000001D8FDA90000-memory.dmp

Filesize
64KB

Download
memory/4520-98-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/4520-824-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4932-1785-0x000001C4766F0000-0x000001C476A56000-memory.dmp

Filesize
3.4MB

Download
memory/4932-1788-0x000001C476560000-0x000001C4766DC000-memory.dmp

Filesize
1.5MB

Download
memory/4932-1784-0x00007FFD731C0000-0x00007FFD73C81000-memory.dmp

Filesize
10.8MB

Download
memory/4932-1792-0x000001C476380000-0x000001C4763A2000-memory.dmp

Filesize
136KB

Download
memory/4932-1790-0x000001C475B20000-0x000001C475B3A000-memory.dmp

Filesize
104KB

Download
memory/4932-1791-0x000001C475AD0000-0x000001C475AD1000-memory.dmp

Filesize
4KB

Download
memory/4932-1789-0x000001C4763D0000-0x000001C4763E0000-memory.dmp

Filesize
64KB

Download