Malware Analysis Report

2025-08-05 09:32

Sample ID 240222-y68dyseg4w
Target https://www.cheatengine.org/downloads.php
Tags
cobaltstrike zgrat backdoor discovery evasion persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.cheatengine.org/downloads.php was found to be: Known bad.

Malicious Activity Summary

cobaltstrike zgrat backdoor discovery evasion persistence rat spyware stealer trojan upx

Detect ZGRat V1

ZGRat

Cobalt Strike reflective loader

Cobaltstrike

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Loads dropped DLL

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Modifies file permissions

Registers COM server for autorun

Enumerates connected drives

Checks for any installed AV software in registry

Checks installed software on the system

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Runs net.exe

Suspicious use of SendNotifyMessage

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:24

Reported

2024-02-22 20:30

Platform

win10v2004-20240221-en

Max time kernel

133s

Max time network

305s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.cheatengine.org/downloads.php

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CheatEngine75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe N/A
N/A N/A C:\Windows\system32\net1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PRLOG.tmp\_isetup\_setup64.tmp N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
N/A N/A C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
N/A N/A C:\Program Files\Cheat Engine 7.5\windowsrepair.exe N/A
N/A N/A C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe N/A
N/A N/A C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\psapi.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\uxtheme.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\KERNEL32.DLL C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\ole32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\ws2_32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\winmm.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\apphelp.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\comdlg32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\version.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\hhctrl.ocx C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel.appcore.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\oleaut32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\ucrtbase.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\advapi32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\shcore.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\bcryptPrimitives.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\wininet.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\Wldp.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\msvcp_win.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\msvcrt.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\sechost.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\imm32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\SHLWAPI.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\wsock32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\system32\explorerframe.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\MSCTF.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\win32u.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\GDI32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\shell32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\KERNELBASE.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\combase.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\GLU32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\opengl32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\msimg32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\clbcatq.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\windows.storage.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\SYSTEM32\PROPSYS.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\RPCRT4.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\user32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Windows\System32\gdi32full.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\McAfee\Temp3774323327\mcafee_pc_install_icon2.png C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-2COJI.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\inst-top.gif C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\ole32.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\tcc64-aarch64-linux.dll C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-da-DK.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-el-GR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-sv-SE.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\wa-common.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\win32u.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-pl-PL.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\uninstall.ico C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\Cheat Engine 7.5\include\is-3D583.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-el-GR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\Cheat Engine 7.5\include\is-T05FI.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-nl-NL.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-nb-NO.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-ru-RU.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\ucrtbase.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\tests\score\wa-score-toast.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\dll\rpcrt4.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\include\is-B3BFK.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-H5CT6.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-pt-BR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\XInput1_4.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\is-DHB7L.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\Cheat Engine 7.5\badassets\is-QK49N.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-zh-TW.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\dll\wininet.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\eventhandler.luc C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\dbghelp.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\autorun\is-21NKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-pt-PT.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ss-toast-variants.css C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\msvcp_win.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\autorun\is-JNH5E.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\Temp3774323327\jslang\wa-res-install-nb-NO.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.html C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\Cheat Engine 7.5\include\is-E6LQO.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-nb-NO.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\Temp3774323327\jslang\wa-res-install-es-ES.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-tr-TR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-es-MX.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-tr-TR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\logic\tests_logic.luc C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fil.pak C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\cryptojack-icon.png C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\symbols\dll\ucrtbase.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\is-364TF.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-en-US.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-pt-PT.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\bcryptprimitives.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\Cheat Engine 7.5\is-GG7S9.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\Cheat Engine 7.5\autorun\images\is-1GE5E.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\Temp3774323327\jquery-1.9.0.min.js C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe N/A
File created C:\Program Files\Cheat Engine 7.5\badassets\is-OE2GQ.tmp C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-fi-FI.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\msctf.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-dialog-balloon.css C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-tr-TR.js C:\Program Files\McAfee\Temp3774323327\installer.exe N/A
File opened for modification C:\Program Files\Cheat Engine 7.5\tcc64-64.pdb C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531071481934081" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CT C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine" C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine" C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0" C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine" C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\SYSTEM32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Cheat Engine 7.5 : luascript-ceshare N/A N/A
HTTP User-Agent header Cheat Engine 7.5 : luascript-CEVersionCheck N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe N/A
N/A N/A C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 384 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1592 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 2620 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 2620 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4812 wrote to memory of 1200 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.cheatengine.org/downloads.php

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b2a9758,0x7ffd1b2a9768,0x7ffd1b2a9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1204 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4784 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5196 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3784 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5596 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5828 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6732 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6564 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7004 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5140 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7104 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:8

C:\Users\Admin\Downloads\CheatEngine75.exe

"C:\Users\Admin\Downloads\CheatEngine75.exe"

C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp" /SL5="$C004E,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv f8x1VFGa90aF6kMMP2YT0A.0.1

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod0.exe

"C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod0.exe" -ip:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240222202609&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240222202609&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=721196e6-b31c-4e5d-b8d6-136c757b28ae&dit=20240222202609&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe

"C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=98.0.4759.6 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x71f5c398,0x71f5c3a8,0x71f5c3b4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version

C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp" /SL5="$90234,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST

C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe

"C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe" /silent

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

"C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=4340 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240222202659" --session-guid=9883053b-55a2-4c15-ac55-027a51710683 --server-tracking-blob=ZjU5YzVmNGQ4YzM4YzNkNWE4MGFiNDQ4YmYwNDJiYWMyZGQ2YTg0MzY2NjNhYjBlODQyOTMzMmY4ZGY5NmI5ZTp7ImNvdW50cnkiOiJJTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPWFpcyZ1dG1fbWVkaXVtPWFwYiIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY4MjQwNjc0OS41OTA1IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExMi4wLjAuMCBTYWZhcmkvNTM3LjM2IiwidXRtIjp7ImNhbXBhaWduIjoib3BlcmFfbmV3X2EiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJhaXMifSwidXVpZCI6Ijk4MjVlYmU2LTRhYTItNDRmOS1iYTM5LTRkMjNlNmE1MDVhNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C05000000000000

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=98.0.4759.6 --initial-client-data=0x300,0x304,0x308,0x2d0,0x30c,0x70fac398,0x70fac3a8,0x70fac3b4

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe" /silent

C:\Windows\SYSTEM32\net.exe

"net" stop BadlionAnticheat

C:\Windows\SYSTEM32\sc.exe

"sc" delete BadlionAntic

C:\Windows\SYSTEM32\sc.exe

"sc" delete BadlionAnticheat

C:\Users\Admin\AppData\Local\Temp\is-PRLOG.tmp\_isetup\_setup64.tmp

helper 105 0x468

C:\Windows\system32\icacls.exe

"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BadlionAnticheat

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BadlionAntic

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91082 PaidDistribution=true saBsiVersion=4.1.1.818 CountryCode=GB /no_self_update

C:\Windows\SYSTEM32\net.exe

"net" stop BadlionAntic

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

"C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp3774323327\installer.exe

"C:\Program Files\McAfee\Temp3774323327\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

"C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s

C:\Windows\system32\icacls.exe

"icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\sc.exe

sc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

"C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6964 --field-trial-handle=1880,i,7101555857169351861,12701575175311700633,131072 /prefetch:2

C:\Windows\SYSTEM32\sc.exe

sc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"

C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe

"C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4428 -ip 4428

C:\Windows\SYSTEM32\sc.exe

sc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1016

C:\Windows\SYSTEM32\sc.exe

sc.exe start "McAfee WebAdvisor"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1136

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\Assistant_107.0.5045.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\Assistant_107.0.5045.21_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=107.0.5045.21 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x840ff4,0x841000,0x84100c

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Users\Admin\AppData\Local\Temp\jxfj4jpx.exe

"C:\Users\Admin\AppData\Local\Temp\jxfj4jpx.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nskF34C.tmp\RAVVPN-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nskF34C.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\jxfj4jpx.exe" /silent

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe

"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"

\??\c:\program files\reasonlabs\epp\rsHelper.exe

"c:\program files\reasonlabs\epp\rsHelper.exe"

\??\c:\program files\reasonlabs\VPN\ui\VPN.exe

"c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2208 --field-trial-handle=2248,i,14977404096116629959,10253475764766109011,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2572 --field-trial-handle=2248,i,14977404096116629959,10253475764766109011,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2744 --field-trial-handle=2248,i,14977404096116629959,10253475764766109011,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3848 --field-trial-handle=2248,i,14977404096116629959,10253475764766109011,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe

"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run

C:\Users\Admin\AppData\Local\Temp\olcs5co1.exe

"C:\Users\Admin\AppData\Local\Temp\olcs5co1.exe" /silent

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\SaferWeb-installer.exe

"C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\olcs5co1.exe" /silent

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2180 --field-trial-handle=2184,i,7690243132194641119,761599702143340637,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2736 --field-trial-handle=2184,i,7690243132194641119,761599702143340637,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2216 --field-trial-handle=2184,i,7690243132194641119,761599702143340637,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3832 --field-trial-handle=2184,i,7690243132194641119,761599702143340637,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

\??\c:\windows\system32\rundll32.exe

"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe

"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe

"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe

"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cheatengine.org udp
US 104.20.174.30:443 www.cheatengine.org tcp
US 8.8.8.8:53 30.174.20.104.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 c6.patreon.com udp
US 8.8.8.8:53 www.freeware.de udp
US 8.8.8.8:53 bat.bing.com udp
US 104.16.7.49:443 c6.patreon.com tcp
US 204.79.197.200:443 bat.bing.com tcp
DE 89.31.143.90:443 www.freeware.de tcp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 49.7.16.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 90.143.31.89.in-addr.arpa udp
US 8.8.8.8:53 232.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 www.patreon.com udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 c5.patreon.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 104.16.7.49:443 c5.patreon.com tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
GB 216.58.212.193:443 tpc.googlesyndication.com tcp
GB 216.58.212.193:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-if-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 193.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 d1vdn3r1396bak.cloudfront.net udp
DE 52.222.190.220:443 d1vdn3r1396bak.cloudfront.net tcp
DE 52.222.190.220:443 d1vdn3r1396bak.cloudfront.net tcp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 220.190.222.52.in-addr.arpa udp
US 8.8.8.8:53 56.92.85.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-457948-i1-v6exp3.ds.metric.gstatic.com udp
US 8.8.8.8:53 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-457948-i2-v6exp3.v4.metric.gstatic.com udp
GB 142.250.180.18:443 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-457948-i1-v6exp3.ds.metric.gstatic.com tcp
GB 172.217.16.242:443 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-457948-i2-v6exp3.v4.metric.gstatic.com tcp
US 8.8.8.8:53 18.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 242.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 d1zlukw2pqueen.cloudfront.net udp
DE 54.230.55.133:443 d1zlukw2pqueen.cloudfront.net tcp
US 8.8.8.8:53 133.55.230.54.in-addr.arpa udp
DE 54.230.55.133:443 d1zlukw2pqueen.cloudfront.net tcp
US 8.8.8.8:53 p4-djarshpgvp4ua-mxo5ajvhlrzzwhrh-457948-s1-v6exp3-v4.metric.gstatic.com udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 shield.reasonsecurity.com udp
US 172.67.9.68:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 68.9.67.172.in-addr.arpa udp
US 172.67.9.68:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 analytics.apis.mcafee.com udp
US 34.210.55.102:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 102.55.210.34.in-addr.arpa udp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 143.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
NL 185.26.182.93:443 features.opera-api2.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 93.182.26.185.in-addr.arpa udp
US 34.210.55.102:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 track.analytics-data.io udp
US 34.207.52.135:443 track.analytics-data.io tcp
US 34.207.52.135:443 track.analytics-data.io tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 135.52.207.34.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.24:443 download.opera.com tcp
US 34.207.52.135:443 track.analytics-data.io tcp
US 34.207.52.135:443 track.analytics-data.io tcp
US 8.8.8.8:53 download3.operacdn.com udp
GB 92.123.26.136:443 download3.operacdn.com tcp
US 8.8.8.8:53 update.reasonsecurity.com udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 136.26.123.92.in-addr.arpa udp
DE 52.222.191.114:443 update.reasonsecurity.com tcp
US 8.8.8.8:53 114.191.222.52.in-addr.arpa udp
US 34.207.52.135:443 track.analytics-data.io tcp
US 34.207.52.135:443 track.analytics-data.io tcp
US 8.8.8.8:53 electron-shell.reasonsecurity.com udp
DE 52.222.191.4:443 electron-shell.reasonsecurity.com tcp
US 8.8.8.8:53 4.191.222.52.in-addr.arpa udp
US 8.8.8.8:53 track.analytics-data.io udp
US 35.153.185.54:443 track.analytics-data.io tcp
US 8.8.8.8:53 54.185.153.35.in-addr.arpa udp
US 35.153.185.54:443 track.analytics-data.io tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com tcp
DE 172.217.16.131:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 131.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 cheatengine.org udp
US 104.20.174.30:443 cheatengine.org tcp
US 8.8.8.8:53 home.mcafee.com udp
GB 104.84.78.57:443 home.mcafee.com tcp
US 8.8.8.8:53 analytics.apis.mcafee.com udp
US 34.210.55.102:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 57.78.84.104.in-addr.arpa udp
US 35.153.185.54:443 track.analytics-data.io tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
US 35.153.185.54:443 track.analytics-data.io tcp
DE 18.155.145.74:443 cdn.reasonsecurity.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 74.145.155.18.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 34.210.55.102:443 analytics.apis.mcafee.com tcp
US 35.153.185.54:443 track.analytics-data.io tcp
US 35.153.185.54:443 track.analytics-data.io tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
GB 104.91.71.143:443 sadownload.mcafee.com tcp
US 35.153.185.54:443 track.analytics-data.io tcp
US 35.153.185.54:443 track.analytics-data.io tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
GB 142.250.200.14:443 clients2.google.com udp
DE 172.217.16.131:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 35.153.185.54:443 track.analytics-data.io tcp
US 35.153.185.54:443 track.analytics-data.io tcp
US 35.153.185.54:443 track.analytics-data.io tcp
US 172.67.9.68:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
GB 104.91.71.133:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 track.analytics-data.io udp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 update.reasonsecurity.com udp
DE 52.222.191.107:443 update.reasonsecurity.com tcp
US 8.8.8.8:53 218.28.196.34.in-addr.arpa udp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
DE 18.155.145.74:443 cdn.reasonsecurity.com tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 107.191.222.52.in-addr.arpa udp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 config.reasonsecurity.com udp
US 54.85.33.30:443 config.reasonsecurity.com tcp
US 8.8.8.8:53 30.33.85.54.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.37.1.217:80 www.microsoft.com tcp
US 8.8.8.8:53 217.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 92.123.128.146:443 www.bing.com tcp
GB 23.214.133.66:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 146.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 66.133.214.23.in-addr.arpa udp
US 8.8.8.8:53 config.reasonsecurity.com udp
US 52.1.58.210:443 config.reasonsecurity.com tcp
US 8.8.8.8:53 210.58.1.52.in-addr.arpa udp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 beacons.gvt2.com udp
DE 172.217.16.195:443 beacons.gvt2.com tcp
DE 172.217.16.195:443 beacons.gvt2.com udp
US 8.8.8.8:53 195.16.217.172.in-addr.arpa udp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 34.196.28.218:443 track.analytics-data.io tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 235.1.22.104.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 track.analytics-data.io udp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
DE 52.222.191.107:443 update.reasonsecurity.com tcp
US 8.8.8.8:53 64.185.213.18.in-addr.arpa udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
DE 18.155.145.74:443 cdn.reasonsecurity.com tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 18.213.185.64:443 track.analytics-data.io tcp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 mc6.reasonsecurity.com udp
US 52.43.110.0:443 mc6.reasonsecurity.com tcp
US 8.8.8.8:53 0.110.43.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.37.1.217:80 www.microsoft.com tcp

Files

\??\pipe\crashpad_4812_ISVVBBMGRBBMETTB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f81b16a6386ff6b6e31323dd4e427656
SHA1 cc7141428c68a5cff49656d661916e45f84e1108
SHA256 82acfc1266e7602891c6c4ddd2f24a77dcf308d523c1c6868300936bbc265741
SHA512 35623fee50cd3f6ebe7d7a392d187b10ef5877d45a0251558466f685be515ed52d0f4e308cbc9461218b4b76eb4c6382ba24b9c2d618ff617c9dc29171d7fcdc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e1ccfae3d20e111f08767c0d805860cc
SHA1 e9c4b75c07ca041ef5b0f909dc2496ebe75c3bc5
SHA256 e6258c36575d71464f1e4244b15ac70ba32ecfe9969268914395457bcc4fede9
SHA512 e71edbcfaf87c510d80109ee0d1f5c1cddc098b1bc2499e30e5d77449b88eed1013fb547f5028a8a5e068165020e3e7f0c84f237a66ef07326e6c7285e03142d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 cbbe9234f72aadf2dd35cf4fde23fd67
SHA1 1c3c71f709e8f99e90820e4c05d282db0862d84a
SHA256 6d1a5aad532fb37f25b63e70a87544cdf0a293b4819025db19011f9e09ed8d96
SHA512 d954124a9e2e5e717d29fc52fc900cc85a318816e8340ebe31a4a457fbeecf1e14cbf0c7cea24026165f95cc5fbdc4bfc72786434139d8149d1bc438b39c19ca

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\Downloads\CheatEngine75.exe

MD5 224ce4c561a07effc0f3486506dca1f2
SHA1 c1b11a92d33d8206e14f9f266bbf04b86e62c095
SHA256 417e8f4941c03e655e651541c4fc9f73cc3940626bfeb70138e4408cab500de4
SHA512 4bfcd048dda6a04440ff071e931038db540d3f9b009dc0222bcc21056c36b7334e4501101b2e99a2f765ec2b4e88f33cfe73516bd4028adefb7efca97c035311

C:\Users\Admin\Downloads\CheatEngine75.exe

MD5 9f3cbb82cd7bb6b91d003efa15229fd2
SHA1 340021ba9b69a624774058a0345bf58823749489
SHA256 1e3c0d52e2f3f7d9601f5c81e37201affe44b5397546d4c7471d45f41dfe1501
SHA512 00c43f2104f23d15ae4f87eaeffc0766be563e5588dd75a4c2844745fc899fb4c4e3c725d0e19ce02bc3ee5da563d041f5b394c7be884feb764eafc03c8e9d0f

C:\Users\Admin\Downloads\CheatEngine75.exe

MD5 067f28e6b8af4f394e4b0de82067527e
SHA1 7f242cdc0c4c14cab0a71cdff29284a8cc15e556
SHA256 d1a5a7bf0ab1ed3ba6f6bbdbfdaf5c42e9604578159c9cbfccdc4225a3412732
SHA512 22d103de0a6965b263f73ce099778aa27b65ed7782474e780a170a570a83ae320bb495aea353b2ea897faa70ed0ee940635437d96525820ed3ca442c33f50823

memory/4992-146-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7LESQ.tmp\CheatEngine75.tmp

MD5 14e34c5e0e3c320b904b9500e8fa96cf
SHA1 47cf88e6ddc1683135194b9d8b1cc32c78277f5e
SHA256 7398bd01e78df0d69169402f7fecf781c23f61127ba68290d146582ebadbf2ef
SHA512 6d99202dafd3209622e6fa217407bccd0b4157550d873bff36f06a279c499c9e98cb01d235c337d76d86c9e3c369d89712450fe1353eb18b2b7c108abd67ad59

memory/4428-152-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 472b2984fb28720b79984773e9198690
SHA1 63927e34d491a588025845694dbdff2a73241e22
SHA256 d6419ff47e20a694220e332097019175981e843d8d7dbd721335da12a2e61bef
SHA512 08aacef472d774ada7cf78863878fcf88736f2b102ca96c8b7816ec0854a0c7b70281e22be6190df48e69d7ae99cbe5a97efae1605a9b8ffe76b89603b04adc8

memory/4992-162-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4428-165-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7f060c315b27f06176cd0cf54385633d
SHA1 47de508dc572a0a8779ee572c8c7235b16d0b8f5
SHA256 c4fcab2aa913502bacfd9fa27db8b32b474fc7b6c602799853d0611f77cc1c1e
SHA512 b22045dd087b45f9373c4194ea3fe7c0d17f11b1a87dc517250fc67eff6245c68f8bed675ea914c4a3cd72712734212ca6741b988b4e6dce98bff0c2c0fb7a9b

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\zbShieldUtils.dll

MD5 b83f5833e96c2eb13f14dcca805d51a1
SHA1 9976b0a6ef3dabeab064b188d77d870dcdaf086d
SHA256 00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401
SHA512 8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\logo.png

MD5 1df360d73bf8108041d31d9875888436
SHA1 c866e8855d62f56a411641ece0552e54cbd0f2fb
SHA256 c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43
SHA512 3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

memory/4428-192-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4992-193-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4428-194-0x0000000003620000-0x0000000003760000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e34e83bdc4af86a8b15ed99382aac1b2
SHA1 d5bfb189d2944be95c4315865ee31e7e22ba0fc6
SHA256 11551439c1eb2c2c99e39c634a415dfaf12f0ea7e7e458ea9ca50ca4bb52a743
SHA512 6d9a0b70e9645d2e410cbf7cfbc3734d26f6a6e64b819c33fa8fa7343b73dc60ac74bfa240a6f5818bbc6d17693f738a7ba1013c4bdb30be8abe68289a07c0b9

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\RAV_Cross.png

MD5 5521662b178569ab52d6880a1faa8e95
SHA1 62a6bad33b1bbd84aeb252be0680a07e6f93175d
SHA256 0232788928f14e3452016edb1af8a9decf37c0e6004f26cea3300b76dee645d3
SHA512 cbb9b36d09121d3e7948567b72ab4335fd6c8f0d4b2063878beadc8d3f5025fcb56d04e62386f6ed698153b9249131d986a826786981def1bb9e2fc01948c36c

memory/4428-207-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-208-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/4428-209-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-210-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/4428-212-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\WebAdvisor.png

MD5 68dba223cf90bea8f73a12bf024498ae
SHA1 c047063530956e8294a6947946587be58d07e21f
SHA256 e54730e552186e2b59888a96a7b3784d759e7c8c6601f708d310f070abe89d5a
SHA512 8b69288da171dc853ffdd1dac925b7416498b5da9bc91db44ff2063ac7a991d814366eef74a04171f760a80b704e120e903f51b4595eb119c60f0bf78c398a51

memory/4428-216-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-217-0x0000000003620000-0x0000000003760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\Opera_new.png

MD5 df3a8146855b69ff6b41cb17a70ec306
SHA1 7180aed1bce08399f086aca0996a7da807431552
SHA256 ed7ef8a251494d3e39ff3d1632bc01a90ecc723d5e838dbaa7a3612580cef321
SHA512 9f5c907fab39f5564efa2774e8a4f317835a35f64b6a2e03ba380803604529a17d80f89279490a8ce2752ecd2f42709835791ee23ca6d45dbb9c768ccb26bc3c

memory/4428-221-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-222-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-225-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/4428-226-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4428-227-0x0000000003620000-0x0000000003760000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 76bed7dfccda80c08646a77cd95f8c2a
SHA1 430fe7c769ad16a60f0abbb50ccd330cbea02e81
SHA256 bc932260591dd20c2f3a53f2a53c4af684862650b84b2b81b063d45d7b8d08be
SHA512 347d82435dbe585f2b1e06016a8dbf9ad7f4d8dee9d90a0a917ad699e609f3278db05f687e0431f3c315ca3a70bc9290bcc72d66a005336e21139fa0c721728a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 3dd9236924ec13df91138de1cf744459
SHA1 1c2d198a685b2d83516af25050a5c713d1323588
SHA256 0e6b69614ca75423c5858995ca2c1181261182be383446968cd3bb852523c718
SHA512 5b90711c06b666f4d5f48032e8e1b9ea38f6e520b0bf1c1c1feebd645409dc4e201ef8637f1d7b20712e2e73f8a778e6d56214afd39a28f686bf513e09746f50

memory/4428-243-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod0.exe

MD5 b0c22d29aa20243773c0f32598161b9b
SHA1 c65d94622b2b07ce69d57f305b1c63d60c22b8bd
SHA256 077350047b7fcaf9a24bc060164c26929fc1a1ab43a8366f5ecd4a1c9d048dd0
SHA512 3b54dab9f5388be0b0d99a8404c40f740083cce6d817538f7b337b10a3dc4271bf8c71c6b86b9a60268bbc9c1b8380ad1d93580169d4e6557a38a479eff5eeac

memory/4428-265-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4732-264-0x000002399AE40000-0x000002399AE48000-memory.dmp

memory/4732-266-0x00000239B5760000-0x00000239B5C88000-memory.dmp

memory/4732-267-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

memory/4428-270-0x0000000003620000-0x0000000003760000-memory.dmp

memory/4732-271-0x00000239B5370000-0x00000239B5380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1.zip

MD5 cd9c77bc5840af008799985f397fe1c3
SHA1 9b526687a23b737cc9468570fa17378109e94071
SHA256 26d7704b540df18e2bccd224df677061ffb9f03cab5b3c191055a84bf43a9085
SHA512 de82bd3cbfb66a2ea0cc79e19407b569355ac43bf37eecf15c9ec0693df31ee480ee0be8e7e11cc3136c2df9e7ef775bf9918fe478967eee14304343042a7872

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod1_extract\saBSI.exe

MD5 bb7cf61c4e671ff05649bda83b85fa3d
SHA1 db3fdeaf7132448d2a31a5899832a20973677f19
SHA256 9d04462e854ef49bcd6059767248a635912ce0f593521a7cc8af938e6a027534
SHA512 63798024e1e22975d1be1e8bff828040d046d63df29f07d6161c868526d5f08451e44b5fa60bfb0c22cf7880abc03aaedafa2c5c844c3aeff640e6fac9586aab

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2.zip

MD5 50a047c9410a6795b16efac1282e06f5
SHA1 6ca6cab3791347cc73ee0bcc95800041abb8bb9b
SHA256 d652c51ef76666282e8e9d165ef7d053414899aee4fb20f537aabf3e82e05a61
SHA512 33f01275c6cbdbf26f8750402e2c9d5a857d3f6d267249c38ca26ccda90c76a22dbc5b25f6c9eff41b17401e7283d93b119607d195cabf7d5e4353bc4d6ff9ce

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 fe3908432698d6c2cb46523f5ee66d90
SHA1 23b1900ddf08a98acb19354afb517361d54f75e2
SHA256 b26c9e21d047c5a3c40bbfd30dcf8eaf2a1d62fb36bccd3aac2d39afffe9c2b5
SHA512 20dbc5ec33c5ba62e46f559c17bd1a7885d3c0d25af1f27216f25459675ea30f95c0c6135dc4e2a6f310e2e5253d37003cf0afc61238f8b29e52664ec67c30ef

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 7e2f3ec2723a3381cda27ae862d05be9
SHA1 a82ed6a1d0a8c30b6072ddf9f9b0f52f5d5f244a
SHA256 9d221ec9e3ceeef61aa854507d038cf1cd3d3f9129724da4e2f0c0c389b6f8a9
SHA512 51672519caa3a289e88d43eaa8f150f8b1dedbec7e4af1a446fbe033c34a55e22d9df6d994fccc27aa514a7fef0e783bfb139932f399e10639bcb8dbbbd7e2e9

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 c0956454decc7e3106afb3fbaf5747f9
SHA1 ba1824b9753128aa8562384c0433f46463a3b3bd
SHA256 58002ebfd4d00ec3b10a731daefb96dcdca79107273ee3d8da46971ca15aa821
SHA512 bad80bd6a11f005414ffedb566988b638bff6e1d0ad0d955d6ea7b19691dd0fe539a03ab8dac00c84591ea299e6e4c44a840b6614715d37c0340c280daea7945

memory/4428-330-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/4340-333-0x0000000000060000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402222026547594340.dll

MD5 ecd896fd0abeb53a0e3d700948ed5613
SHA1 75d55c6e80fe06f692e058fa630456ed028fac7d
SHA256 604885c47e0c57e7de6a453298d4a8ef795b18aa099ea55475d68b196f0a699c
SHA512 2b22d3f86db23cfecff481f376350120c5d6c8a87b1b8e68bd438594666283e5188faf6e70b3aa8535ed9801cd5e25b44748d2aca4298feebc472c3a78fc379e

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 b4a9a472585ea437eab1ef042155fb08
SHA1 0a2f67c2b8372af298110ca148dd50c5db028479
SHA256 1124a799cfbecbb2f4043e9a55f05d6d38939775beea74fe093b55761dc8c1b3
SHA512 7bfa2bfc0f2ec58541adfb95cb58d65a43254465a1b841f419ca65b06d881b90ab4032f65e5527bca0aa03c903b03860de9ff78f70fd34a80cdb33a2bdbbae4d

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe

MD5 f07cc08d497d12fcd8c0139e9152ceb1
SHA1 f9fd65e3a598014fad91a5cf59718e53ee532af4
SHA256 8e6a8c512b61221c54db4fdd4de0293a2710e8840ebb29e9e33b7466886a5ebc
SHA512 7eb66ab335cfbb9290f001f8e203e221db1ac0708f9c6cc51bc36fb54dad75cc22e031c6c462d8a4996686fbfb1d9a3b7d04c761d26d27324a28eab6d85eee0d

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\CheatEngine75.exe

MD5 15eb5d5d037db5019c42e48352a5cb28
SHA1 46c132da5e8b0a438b4143979dbfebd7f5653036
SHA256 292d0f310314d3e8806a7daf2ea0ebac03b978ea6a4cc4825605d74db2153adf
SHA512 8d5ee59386aaf7f1adbb525f48f6caa0bbb793c7ac0a69c20310365ec1f0ab73f4c8e99b8e5b7dd41941d86b6e7bf73fc6b80779392fefaf3bf43ffb155bc233

memory/376-350-0x0000000000060000-0x000000000056E000-memory.dmp

memory/1156-347-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_240222202656420376.dll

MD5 dcad0ab4c2bf91bf90c806a97b234f6b
SHA1 2ea6397d60a6d233ce488e12385c078e45d4607f
SHA256 176a920e02a5460c2948970305b558e723ca15514aebf9fa147aaa43a6e2bb58
SHA512 44f2b15612de620b6c703214c5ce613d45b99e2773f4b6c8e4310a8f290457b51b879ff5c6d34b33ba07570cee7769c3222b35e3b7c6d5240bb6127ab73b41dd

C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe

MD5 1831121878a4e14cf0a97ea6d13f1cfb
SHA1 50fc521d46729a5045f83bc3067a49b9ab02068b
SHA256 7f01570cd5a0ff870a94dd55b450fabe4d98cb5e47b6c435c0de522678fdc559
SHA512 63175f57a5a4e2e8c78882d8ce7344c08b252f15edb187eaf6b43a4d3d567a308f9376a80ea0fb87dc6d57fec093148d1e9cae3f70c9b965a89cbfc4051e3eae

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

MD5 938cbd1d51cc77b0949aecc5708c3ca2
SHA1 de249bf6be3694bf03f295b9569ee0b6192f631b
SHA256 b075a731d73a5d82a7368bd0be6aebe3dbee65a7797357dad7f279378c3c3207
SHA512 9fc0ec5701494ef8242f5fd066edf05f8349c83e56e58871174f746641fef63750dc86dee5809abd91fbed8ac8ed9a9af8c0cdca34344b62d985e223892cc18c

memory/4120-364-0x0000000000210000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe

MD5 715145a2c5f42c7bf6cc96b081d65622
SHA1 91256fbba9aa7590d76092d646529e840b300217
SHA256 ad808880d5b45d36799cb51512fe616f71e3adae77461f75ef7ad1ebae871c39
SHA512 40f434797ef6900e1662e565df2d260ac9e3890bb2a50489ccfe1424654e82ecbef7f028518efcd10f0012d7450c196c8095e82883f558e035634b9cc239b28d

C:\Users\Admin\AppData\Local\Temp\c0t3ddwi.exe

MD5 e4d558df8fdcef883f9ece4e94fce963
SHA1 4511f5a2b4e5ed03b5220172385aa46852375cfc
SHA256 f5b40e8c77844deedbd7d66329c3643a48b8ad47bad3bb25b76e3754008dca90
SHA512 eb3f0e2a0ad3a4be40c3abd43e11dc4f99044a18d98268bd544f02aa37cdb7b97cf7a89f5ea122236201b17e20fab59b93d6dd6233f4956637ca3b802c6d8cc3

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402222026583734120.dll

MD5 d6e9019cb9e2c7abb383aa5e34605a55
SHA1 647e9b16321de73c84dae38479470806617ffca2
SHA256 591a16b13ddbfa7be213e7dcdffcd902dcb6fb2778fbaf1840c48afa584fab76
SHA512 65de8d15f4b46a0600e2f102f9c8a80b6a3cad416afb9d6d1d14a657cf36a859ba2e67d0d0135815acafc92b3cceb0759b2f95fa82381fffc2a7a8f2dc4d3e60

C:\Users\Admin\AppData\Local\Temp\is-BM37S.tmp\CheatEngine75.tmp

MD5 a4d559a45a1c822cd549e4c8fb6f3564
SHA1 ca72bf902508ccfd17c3a3a07e30ef94fde40e3a
SHA256 b6df4ef7b46c20ab57a6026d3560393eead0c4fe87b08c3533995422456a2eeb
SHA512 31dfbd5020d1c3c210d2cdc717f4f312541c75eb5d07d447b035bbbff90900f1bd2b1d372f77b7dcc4db2e2264385ae2e0185f2d8b3669c42455ea4bb3b6e06a

memory/4120-377-0x0000000000210000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsj199A.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2760-378-0x0000000000C00000-0x0000000000C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe

MD5 31bbc803df866aa0b04cf6e07bf3f9af
SHA1 d7b90d548de7ddbe9e7221fb7c9991b7c202ff64
SHA256 0338f972923cba26694767f42c5f1dd7abbdb79e26220e073c7a74f7514b85ef
SHA512 f6447ed7df78a72ed09c70951bcb9ab0e9503433f28ddf82139c8e2cbe2c286dd15c6b1dfa2d9d5182284c1beaf08065270f5fd7b90b4ebce43c71d9b0132c53

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 f2d933a5633699e3923e44b9d569b729
SHA1 3ceed52c9e0bb18c38fa4c590ebfa4ef99c41505
SHA256 b3c558560948205a0be7b1c7e26dbc87b086834b0e9fa39173dcce49d3646466
SHA512 9eb913846a2afff2ee055384e4b0a123d1e5a9fd84b6cab9a7e5de9bae14ed51386704ac1f171aa099616cfd6aefc4eb9b73897654c3e0a46a52cfb5ad1674c5

memory/2380-398-0x0000000000060000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402222027000452380.dll

MD5 468c8405aca7ef6ab8bb5db872570c5d
SHA1 5d1a0e80da4b2eb006934b2c597e3ed92eab90c9
SHA256 30cf995889527eb1d89b601c768bad5847253ade0bed143d0311e970e4f3c08e
SHA512 63430a38f9ac9f60c1f8507cc6007e235a5a9c4eb50aef95e4db2ec87d06f741ffbbca57e6a1984e9ee75c1a64a3551be463677def28f13d7c69e65d606ddf11

C:\Users\Admin\AppData\Local\Temp\is-95F4Q.tmp\prod2_extract\OperaSetup.exe

MD5 c0f6965753d1444b668c203bdbb5043c
SHA1 92703935615fdc58272f733ceecb6e983ac7b745
SHA256 e252b2d89bf4e2b5d1a58497afdbf85815894e0345177360a7c41d658528942d
SHA512 eaea39d05aee8f7a6dc77a55d32e87e1f36081f3abb9c71f4b90d8ad910a470f3674757e43b848eab4de7312a87837e063af040723b49e1ac8cc8939aaf8da13

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\RAVEndPointProtection-installer.exe

MD5 f5077db3ed293b92285f3cc588ca3bcb
SHA1 242bb20627cc2dae55cdfb076966e2c3b347c505
SHA256 ec5b94118badc4b0653f1022d2ef8976b7cf5d838d264edfca6a5737c94214fa
SHA512 fc4b07b0cbf7a4abcc77fc31c1152760e65124a0004919d5f0c4d9a21f4297cb50a4b8a29e5dd023a8e9682784cbc646dcaaf7e315154ca316bf52f145429dba

memory/3796-453-0x0000000000060000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2402222027005923796.dll

MD5 a219946ec5c73e4d16e6f17e7ab2a695
SHA1 244ca1e85af3aa1daed0261aea000b924082be45
SHA256 101ed2d5066cb1cba54443641f783fb002f2ec3057844d932bb8e9f19aeb588b
SHA512 236e8cb353c7b0bf0c88ba6f165f8c83158f12c093ba09ee2cb3ef08010480f318de5ff1d3a4ef4d3f35b2e4115e9a7668a5fb76b82079980491d48df62f463c

memory/2452-456-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 cbd50901636eaccec42ee65c17aec4d3
SHA1 aa41943c194010e74cc1f93b43215a56744064b6
SHA256 e05b40bac6a9ec3491ce103778913fa461a62b261ea197ed90ed268a973dcbdd
SHA512 013699a8bca69c29376cd7b9747b6c60bff414e83e05f0e420083e15b7c243b6c7e5a63ca3b0c44ec77a14bba9f556027aec7acb59e026d00202f497da0057a9

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\rsStubLib.dll

MD5 a16602aad0a611d228af718448ed7cbd
SHA1 ddd9b80306860ae0b126d3e834828091c3720ac5
SHA256 a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a
SHA512 305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

C:\Users\Admin\AppData\Local\Temp\is-PRLOG.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\rsLogger.dll

MD5 83ad54079827e94479963ba4465a85d7
SHA1 d33efd0f5e59d1ef30c59d74772b4c43162dc6b7
SHA256 ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312
SHA512 c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

memory/2452-463-0x000001A580F10000-0x000001A580F50000-memory.dmp

memory/2452-476-0x000001A580F50000-0x000001A580F80000-memory.dmp

memory/2452-490-0x000001A59B060000-0x000001A59B070000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\rsJSON.dll

MD5 f8978087767d0006680c2ec43bda6f34
SHA1 755f1357795cb833f0f271c7c87109e719aa4f32
SHA256 221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e
SHA512 54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

memory/2452-494-0x000001A59B020000-0x000001A59B05A000-memory.dmp

memory/2452-492-0x000001A580EF0000-0x000001A580EF1000-memory.dmp

memory/4428-501-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

MD5 9a4d1b5154194ea0c42efebeb73f318f
SHA1 220f8af8b91d3c7b64140cbb5d9337d7ed277edb
SHA256 2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363
SHA512 6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

C:\Program Files\Cheat Engine 7.5\unins000.exe

MD5 cc76c9d1466fa079aff507f221d085aa
SHA1 25e0a73c34174e22574a18f02c0e4dc32f57af99
SHA256 ada27ac87dd2d602cd6e1c38437d79d4428cb74f7f2226288ef4628240ca0e11
SHA512 f816ce4ee2ee469ef53ead15c8d3a483eba0f6eaf7cd1dc9f5e06eb50f48623c02fd7376ef0434434e16fdbea1a114ff98d94d71b8e2e62fe3cbcda19357c8bc

memory/4732-505-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

C:\Program Files\Cheat Engine 7.5\is-6BSR7.tmp

MD5 dd65b49aad767586915fcb1fe56eb176
SHA1 0f6b8c99985574344d8fdca0b330b99b4f5adde8
SHA256 fa514449d7b896cb4140b25de8747b3e77d8c15c575b0bee5b89086286a9475f
SHA512 456da54a3c8d7548aae23f898cbeb27e9b33a408cb6f6989afc07a3d5291f611af345ef6ea5ee5fc392eed674ecf9c347f91321f8136f041fa7c8c5b9d69cc7d

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

MD5 f921416197c2ae407d53ba5712c3930a
SHA1 6a7daa7372e93c48758b9752c8a5a673b525632b
SHA256 e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e
SHA512 0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

memory/2452-455-0x000001A580AA0000-0x000001A580B28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\rsAtom.dll

MD5 9deba7281d8eceefd760874434bd4e91
SHA1 553e6c86efdda04beacee98bcee48a0b0dba6e75
SHA256 02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9
SHA512 7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

memory/2452-510-0x000001A581000000-0x000001A58102A000-memory.dmp

memory/376-512-0x0000000000060000-0x000000000056E000-memory.dmp

memory/1156-511-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2452-513-0x000001A580EC0000-0x000001A580EC1000-memory.dmp

memory/4732-514-0x00000239B5370000-0x00000239B5380000-memory.dmp

memory/2452-515-0x000001A580ED0000-0x000001A580ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\Microsoft.Win32.TaskScheduler.dll

MD5 a09decc59b2c2f715563bb035ee4241e
SHA1 c84f5e2e0f71feef437cf173afeb13fe525a0fea
SHA256 6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149
SHA512 1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

memory/2452-522-0x000001A59B0D0000-0x000001A59B128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\rsSyncSvc.exe

MD5 ded746a9d2d7b7afcb3abe1a24dd3163
SHA1 a074c9e981491ff566cd45b912e743bd1266c4ae
SHA256 c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3
SHA512 2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe

MD5 0806db15470b50b2fc76def8e010492e
SHA1 dc16a69a3de41fe5d7d39c9e6d192abb2cd229ae
SHA256 205137440d0fb082afc0adb8385b71168b2b19731cfaa6d423077a0ce3bb5b17
SHA512 cab249d65cce1158c0f0a5c65943fb8ab04b7ef7ec6c19af42170944b0ed7519e82252189ee65469f63424be315ec37db47522e32dd4d1c5bf6a138199f5d496

C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

MD5 5cff22e5655d267b559261c37a423871
SHA1 b60ae22dfd7843dd1522663a3f46b3e505744b0f
SHA256 a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9
SHA512 e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

C:\Program Files\Cheat Engine 7.5\cheatengine-i386.exe

MD5 3ff4aa35cc5d239b2c86f01b1aa404d7
SHA1 b9a898f52ab76a25c768b8fac923ef544ad6f8c8
SHA256 1b30046e0528eee6bd2f4b37d9a40393b0e08d4549949d468ffb4b5780df1ea3
SHA512 aecf54dabc139c552d4b5a23cf166c1b86de73881c4eb8cb81d209d0f225b5808dfa32885fa8b9cd97e98d681ff196f6e5d00ac4371c2e5b323a8bfe3ed3c171

memory/2760-1287-0x0000000000400000-0x000000000071B000-memory.dmp

memory/1156-1288-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/5456-1289-0x00007FF7FCD60000-0x00007FF7FCD70000-memory.dmp

memory/4428-1296-0x0000000003620000-0x0000000003760000-memory.dmp

memory/5456-1297-0x00007FF7FCD60000-0x00007FF7FCD70000-memory.dmp

memory/5456-1298-0x00007FF7FCD60000-0x00007FF7FCD70000-memory.dmp

memory/5456-1299-0x00007FF7FCD60000-0x00007FF7FCD70000-memory.dmp

memory/5456-1302-0x00007FF7FCD60000-0x00007FF7FCD70000-memory.dmp

memory/5456-1321-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1342-0x00007FF799BD0000-0x00007FF799BE0000-memory.dmp

memory/5456-1364-0x00007FF7FE1A0000-0x00007FF7FE1B0000-memory.dmp

memory/5456-1413-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1433-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/5456-1447-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1406-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1474-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/5456-1459-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1378-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1498-0x00007FF7E66A0000-0x00007FF7E66B0000-memory.dmp

memory/5456-1485-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/5456-1481-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1468-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1375-0x00007FF799BD0000-0x00007FF799BE0000-memory.dmp

memory/5456-1404-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/5456-1394-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1508-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/5456-1509-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1329-0x00007FF7FE1A0000-0x00007FF7FE1B0000-memory.dmp

memory/4428-1526-0x0000000000400000-0x00000000006EE000-memory.dmp

memory/5456-1592-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1622-0x00007FF7B23E0000-0x00007FF7B23F0000-memory.dmp

memory/2380-1648-0x0000000000060000-0x000000000056E000-memory.dmp

memory/5456-1647-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1619-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/5456-1652-0x00007FF7F3F70000-0x00007FF7F3F80000-memory.dmp

memory/4428-1948-0x0000000003620000-0x0000000003760000-memory.dmp

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 4f5ada00e0ee9b2e86f52384e50193c1
SHA1 4c4e8fe65cb4c2cc6b569b130bf5a17e7297ae55
SHA256 89cbed46dcd36404c35f15573908169e554c96a343c37882d1c0a9a8e511515e
SHA512 cfb02b040c1a3cb95243b853cf91b9b99182e942effde31c69925b51580e5d8a2262d4755aee9c1ead8e6a79cfc5992223c97af3803dea5d27443bc3dddf5c3d

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 a37c6916dd6de30d3e8341fa267933ca
SHA1 41c32c5624d182060248b1ec16a7d252b1eb1694
SHA256 e21c62ec2f19546f2bd10e7a1bb370fdd824128ec4602912b903190c2dea054d
SHA512 3d7902d3e766cbac679a43774b8a6d8f86c0ba7f6f4bf3f0f1cd57000a7552f9c20aab4ee26f6d3d2f61a144504f4ca7ba2bc226ef03c968f8fb800a335d4ae0

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 eb105c0885ee2e4b9e2734f6f7284019
SHA1 327479f7820d19e6c236dc11f8707efd0d6bf6e2
SHA256 350bf925609830e683e5007dbe8feb4000a0c32a2b991798dc6b84608a2a8e89
SHA512 7e6805c2aabb1b1b8768eaf2c816dadbe78878249ea66eb89dd595fd9119ed0f8926213aa51028337fd1674aee532de301877458b5c7d9c0a2271c32a48ac611

C:\ProgramData\McAfee\MCLOGS\AnalyticsManager\AnalyticsManager\AnalyticsManager000.log

MD5 d9eb26b9cf048dc75d96dd549bba3b86
SHA1 f0196d5f0ca6fb7c2e7cee673fd243cbf32e7d40
SHA256 9d31fca68d5a851efd43ac2e5ab364b2f08c6a4b5489e9e6f91645e1bbad8715
SHA512 1f1b599c4fb3dc59bb7c8bf915334dd19b59fb0d3d328fd5efc1969097372733e9060e7009d12181302f21edba4aebe3c39674bba9fbef29e5b293a756ec4e96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2ecc9b9a06cf4cb1fd4ac46c562175e
SHA1 98217ccbc434ab0280f97daf7ff57aa307b70d2d
SHA256 c2a1932274977b8e980d9eac92f0ef8dffb88835d90896be69f2529fd815a41c
SHA512 e952b7b0cd9ec4090d70ab73a0843c9a3a87eb2137429c758e352e7683d3725da1b87824f72fd62fce1a17c71e291b1da066da1151f79e6f94020056f8f5a7ca

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 871fba57c045d5fb992663b827fabf42
SHA1 003a95d0611b65ea805765d665a6648c79dfb3d2
SHA256 61846f4e9a5ddb169f07dec90dc996e9aefa8a60db2939ab042ffc5b5d83918a
SHA512 04d14ed64c31b65f41369b046e7923168f69b4e6d519ff9584808047994f262a7925c742ced2ba497488c5773d45ff35682ae3a1846e493a656ffb3a54c546f2

memory/4992-2945-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 eca37dbf4269b81e795dfa1f6f9dbfa1
SHA1 8fbbdd3478872626ac9625270c98bbe3726190ca
SHA256 9eaccef1bf81641267aa9be6c97c2119788cc9ad80c544ed130e09820fcd9902
SHA512 f59ef2b8dd647988ccee829c1bf45a1ecc10185eb07efb931f6b0856a268545a5a83d08a73cc4870adcf03f1cf79a0bd691584f065b9e7851e5a6bcf1a6f6f2a

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 6c776d2aa57a60a04d97fd8a2583250f
SHA1 0c94d9380a17225803df4d4528f4f1fe9e03ac75
SHA256 0d10f660ec9d36233f447287e28fe457745583d552c2fbd2c87aa8d599eaaf1e
SHA512 1fe081f04f5b43795801916bc4976a3e73e50833b9a607d7a8bc986a656105db3651b55ef068b73e8f95929216caa714c6a3d52c33ea785f777401a9c827b93c

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 54d3dec4902c783cd989b488162eb419
SHA1 3e0e88caeed38909dacb42e3bb3f16928b5d738f
SHA256 a74d01a1b3d4479cda3759e9c04d74290e4ed9cca2522f496e8ef48a9046554b
SHA512 102d06050425fe1a9a4be5ad5552f6791cc32d8965177838f78b727c4b51b8ac5a5a0a235db3c89f3a2ddc7ad4779c1b7527cb6340a057e41dbce53361df0fcc

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 6341326ddd41e9f90696af489e42301a
SHA1 b13c1521cee0f10658a146763d2d87509ae1c089
SHA256 aa8f300f58613c967dc8c519a7353c21aa3e6726effb88b29742f2f0f42fdfe5
SHA512 0e57b114be162d94bca8bfa5524bec140154cd473a43323803a4932e4c6fe77a934793607a3b8a217378a55bc68230eb6e72f7cc1c54866b74a8731e083e2c00

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 6ed0ab4bf25458f44a339a506618aef1
SHA1 7b825a364859f9c69b1790a2c9fc5a2a8960d0c9
SHA256 9574e93d049e410db72321040cc45fe28537738d9b84ce44d12c70e58dd646ae
SHA512 b8eadb9bb6e24cc973e16511d774cf3fa2549a6f4b547e41cf214b5b4d68af218892b875079c95ab8e62715e959b6ba00cedf8c5bab16f10b0130b120832ae39

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 1d11d8e7355a8cba97a6824d6c67c343
SHA1 f386d69ee141df0bf44591a8a83fb360d342468c
SHA256 094ba4122e5b6afbc5675b13e62e256b040e4f0c3d3d8a6404bfd37e22b48c1c
SHA512 8d1f0e1d52a1dc9be56021a4864c28f03c9ae435d5226041799ea6f74315d8e0445857e8e60c9ea46c101c62ac21aa34683154a26c6cd4a9452af6103d722295

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 2fa5927d41b525e99503ef3463784f35
SHA1 639090ad1172ba54b74e3b817676278035471507
SHA256 ec6e1ee6a89d7a574ba4d07697facbe29b4ba23967882e2a5012cb24ff850539
SHA512 533b01938a49120e90462adf343d6d47eebe8e13da38c184d6da5b6f4c817bde456a7551d2c082f3bbdf1ff01f3a50265d98d7b2f8fec057df3078db20bbd777

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 ed086a8bc8545815f32445380b562d4c
SHA1 eff7156786f0b151324a54738fabf41c7a4b66d2
SHA256 8b72cf8abbfd93ac68576201df9dc101805140fd402671a62bb7a3052422d839
SHA512 15044b498acb9394b1861835f154a617b13f3e4b02e9fc3c52cc8be3339e880923f315e941df4752786ac5b573dea9d92fe7eef4f08c0e683525184819936199

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 dea501c00feed7679a660f14e0f839bb
SHA1 3e0c63288f71aa1f7a09d91752020b3029ab8e77
SHA256 d4b8862c0f82664efb4a24c986362a27e9761c6a4c9ee3a1823d068e9f95e3c3
SHA512 fa276aafbd03ffb66460ceef0959ac1c47b1b4518f733cd17959085f58e0b7f10438e92cbf7d2ff7382095ec46f4e2770e21066b9995f924e786209beeb91683

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 4aac12a227b417206d9d10e3ec28f7c0
SHA1 ff2893e6c1954ef16a625308d764adac9fa01b1d
SHA256 7f9daf7c636d526faa9e43b0f69e1bbf74480169f4994d662ffd77c506725da7
SHA512 ff561391c5de828c160fc8582326f867a338e40d29e3489c31d8fe0947984b104f1511465bc3a3bf0cc7e91b7c61fd8ec7f796f95cc1045b67b50115b009adaf

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 7bc4f9db7b48f953cbd3b1f8d2d826c3
SHA1 08ff6d18cf2423c79e4fc9768320426e48c1502f
SHA256 80453717204d5c5b914e5647080ff1839ea043d666ab75c923c931a314731525
SHA512 8810ffd51134c3d7048da7694bf1cdec6f46dd4f3868dcd974452f7be851e84ee189c324d39e71a38ecdd0b95ab19c42c872a118124ad939d692347417cd5020

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 abc187af2dd9e1105b436977ecc68eed
SHA1 33edfb44abdde2c49ebce11a3431c25188d91633
SHA256 93482e9145b60d1121180b2b9c170071ba7d012d91e197847a7b5d4f7095ce11
SHA512 be2fc8110b03a9b6b9a88edb7f9c9042abdd68414f37a3dde954935a760d5b78090eed37c242fabd9238b9eebf1b7fdde6a47d1a600a98fa002a8f7531a5c8dc

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 6de4b6d2f4bfee6a02e4c8113496ed7a
SHA1 c2be807ccef6f6adedbff1b8db3f4f14e1faa614
SHA256 3bbd83d23e912138807fc3386b88c79dd2659bf0646f534098edc6f3e7f67696
SHA512 9d55a21b3efc7a98158869a72fc686632a486ea479bef4fa58a6788d09792308ab8005c64a7b2ddc73b6759c3392c10ad0eb3bde7cb02dab4f27199665942a3c

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 eaf4c9ea021006e86b308a384acfd70d
SHA1 d0bab776bf219e7ad69a364052f31499e58895eb
SHA256 1b0eccc8d98e7961daa347892809017f88bcbfe84f439870917d5bcf1790285b
SHA512 76d2cd0d5fadb8f27052f2b1b6bcaa97ac881e87a4466a983f5945ea95871af96f1d1aecaee233285b082f3647eebf93864927cd91d4f6294b08ce6e97d5b316

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 1c5cfafd73ee05c6b4a457a32c246fad
SHA1 d1a3b1a507307a8b5ef779396435594cf9e93517
SHA256 f758e10cbff7666ef454bb60d68083ae09682d3fd7216bf21cab0c826364069f
SHA512 3f28adeebe3a2248f2f444b03430a66a46dacc3468f0081fea8ae5c5e140200223b8df2cfd53ecce3a422cc73539dfad5df1055005e68004ad7b3bcbf985129f

C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

MD5 0bba1bfcd752390c0fb67e6b0672665f
SHA1 a9f313de5275c7894f0db5aa3530b307e81df998
SHA256 928c5ee85b5a8ed1718f3360c55b31393c6cc6e9244b9d696868855a9dfa3bdb
SHA512 ccc1f0b10f5b0928b492434323a8a99b475ac1ebec54c2b373e734193ec2ad083fdb0ef6bb809f6c8fdaffe3f60ab2db6ccc859318bcbef8736a9f3234cb310d

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\opera_package

MD5 80569a4e236d3e90466effc5c1e8a441
SHA1 8c2598d117221b806979849b2bed74d3fcaffd97
SHA256 0f240343b1ced3991afae0daa01d130458f06fb73b64e3c368b03e3681a56a06
SHA512 1c02fe1a65935b350b4aa7abd287f97c92420749a8dce785ad6d7dc05a76647b7574e0a6836392d7b303d6fa5f4bb83a3f46e1caa01c490b5ed352d883b90a5e

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 a96e27e1ab2ee7af70b00985534fb71f
SHA1 2f7e9028530dcd6a5c3ce6a17e50340b25fbc17c
SHA256 5e0198e2ee51a06e8286996acdfc23795d0abe5f54c53dd22bf5d4d1dec214ff
SHA512 4924be8f9a43402bcd4bfbeca3c674167a84b5235ff70913fcbcdd846a54e7801ad33d39c266120e35a2672f91ea7b1e9aa327aa25987bae18d294042be89eb4

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 d0098b446cfd5e7320dab7acf2b28804
SHA1 f108ebb75b1e107f0a44219a0ff11e9c51b9f0d3
SHA256 01cecbe3c9df25343f01e096db35d6727f784fda9ee1b598d3b9caa8159ec074
SHA512 a6389168892e255c16d8fcc14872f805ff5e49b550840c119c025a9a22f406649a2f70e067fbe4a9e3ddb65ada5f707827c0f2ee6bb956320384849a528a3434

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 d402ca161f9047ba9e4047496edc491c
SHA1 37f69c2de4c442488f4084ccce26b26ae8f23a6c
SHA256 0c17047bf5f7ad5686214c8044c459673edd5f3e2a3e418782ba5cdd8f97cecf
SHA512 5bff1a4fbfaf2504836e803b2a9a460625c26383e36d63590aafc3a937e669725dae5dcff007f269ae405ad81abd1f306c96115e58dba934b2770c6d40f21e40

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 7a1619d343249007fb5c01fd258a4dc0
SHA1 7447b027666c414b79e46925a77733058bbf8142
SHA256 66a5476a9d69761e9c46c6cbf924cb3c5abf75f8115817558a472c9c84780306
SHA512 a3a99db109cab6a1f396a947f8bd9b911afb69c8ed816f4dcc85805440d13833486a5fafcd96edceb000793d154d05439c5a5148fc072d2ac9a8b1f45bf2320d

memory/2452-3405-0x000001A59B270000-0x000001A59B2C0000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\EventManager.dll\log_00200057003F001D0006.txt

MD5 bb4d149573b18b7a2a335684599c5522
SHA1 b20b1f9fc934c9ce1cd500ecc55702bbdfe3e8ee
SHA256 02bfe64d16f0cbb52c35828b7e7329320d841da20ee403239804cdb3cb232615
SHA512 fde8b356b4d757c61c6a4e0619db6eb45c08eaaa6b6dc6b970b802739cdd1543d3e94c81be06a0f900cf09edfdaa8e993dcb563ca940abd01693152cc0cd3384

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202402222026591\additional_file0.tmp

MD5 a7441b4573e9475eaf029f34e0c1ee1b
SHA1 2698dd9c80e6f895f35311f6879fd7ce8ec5d73c
SHA256 ffa0bb5cc0518482adb29df358228fe532d435a6376d134bac2d64d60d9c6329
SHA512 3490f6d07a5757d03e81fac4f8ea6a9e1fe5fcae8ff8af2a3a5eddd3e6dfbebc3793504fee5cb77966a47df0a41c461a66f08feddc7e3e45e3c7163e3157d95d

memory/2452-4570-0x000001A59B6C0000-0x000001A59B6FA000-memory.dmp

memory/2452-4571-0x000001A59B670000-0x000001A59B671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\585b3608\8c1ed8a2_cd65da01\rsJSON.DLL

MD5 1f2c8961bcf9a47e491e3163e69fd8d7
SHA1 d1afdf1c05c41c6a4373e6b078519150d6681193
SHA256 3e3b1c6ccdb7fe88fb194c93a3780fc8791d824456b03fda798df7c7dfdd19e8
SHA512 f1b0083734d632429ce2142b2cc5176766fdee17b44a3aeca921a403ef11fda13257f33bfae8c595672508a702c724d638b0e54dee9db4d5283f8e5d4e562cc9

memory/2452-4586-0x000001A59B6A0000-0x000001A59B6A1000-memory.dmp

memory/2452-4592-0x000001A59B740000-0x000001A59B770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\77ae610f\d483daa2_cd65da01\rsLogger.DLL

MD5 40c1ebdaaad9cafbb5d0a6b44d9d5ed3
SHA1 eed474d761bad1c5b4f034583e977891fbf1d2d0
SHA256 97b1d1cba72fe3f8ea3213818e60be29f9b821faed6de08b0364e4c4faaba673
SHA512 15255d7458c19b940bb47db3e18003310b4ccd784d65a5beb41efa15dc9372e3711d33763c2e71ad85a1260e87fc8a2af27acdfa20b30662c237eb2c4d80a03b

memory/2452-4655-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

memory/2452-4663-0x000001A59B680000-0x000001A59B681000-memory.dmp

memory/2452-4676-0x000001A59B7A0000-0x000001A59B7CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\5ca54cbf\430cc5a2_cd65da01\rsAtom.DLL

MD5 6a2b63ae38acdb4f61deb62f46f4369e
SHA1 d4747d8a07da4b3ff816cf1cfe9145a4a346e461
SHA256 357168503a29efb026299edf75244e7d351fc242c395ee287c8bbb921e3985bb
SHA512 3de45dbe81adbfc7924c01f7d6edd2f1cd55f3f61cb7966f7161d9f9c0158e194fd54b8ac34f03c5238ef50425ebe458e2635d28d63417fbc539c37fa74d7c92

memory/2452-4699-0x000001A59B6F0000-0x000001A59B6F1000-memory.dmp

memory/2452-4695-0x000001A59B060000-0x000001A59B070000-memory.dmp

memory/2452-4747-0x000001A59B880000-0x000001A59B8AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nse19CA.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\8ad8af46\d483daa2_cd65da01\rsServiceController.DLL

MD5 76ce8938c606231d04dee716cd8821bb
SHA1 aa1875e39cb644e399afb00cbda3579b53b41e1d
SHA256 c551260bb657c15f87cfc5b001b5570a45a1c7279928032de6e5902705410c7b
SHA512 92b8e397beb759674a96589e1fc385f9671a7ce3a538ab565da2198eab4d2e05dcc3c5eedf98b9a2214a296e502b2fe16ea196f5aafa77b816e209b431e9199f

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 f64fac48dc7930a27d6c6cd47600edae
SHA1 9fe7d5aaecc51e29599adfc8e50c05642084c924
SHA256 028d66176c993fd94178b82a5bbc954837f333a64db626cebc72e7ea8fa817e8
SHA512 19ff3c2b0348fe232bf6d4dbc6caa0a94f0fb223c2686fff85c0a0b914497c577bf9f274c37eafcd5437bcf9f88d1ea5ed0488bae60ee6fe6bdc643bbb4b8554

memory/2452-4771-0x000001A59B740000-0x000001A59B741000-memory.dmp

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/7148-4874-0x00000264CAE90000-0x00000264CAEBE000-memory.dmp

memory/7148-4880-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

memory/7148-4887-0x00000264E54F0000-0x00000264E5500000-memory.dmp

memory/7148-4888-0x00000264CCA10000-0x00000264CCA11000-memory.dmp

memory/7148-4894-0x00000264CAE90000-0x00000264CAEBE000-memory.dmp

memory/7148-4912-0x00000264CCA60000-0x00000264CCA72000-memory.dmp

memory/7148-4913-0x00000264CCAF0000-0x00000264CCB2C000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/7148-5046-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 376cd66a447c9f5741d665ed7bb8f0d5
SHA1 5d462b9ef41dbeaa8004cb110d4a69909fc2e096
SHA256 ecd1a40b5b16d11ab70d2998aed610c522356cf6b3a05d465d8d6c8f3679259a
SHA512 3c044027f091be2dfcefbfa8b16c3f9abc71b97a3ce3db83fa58b08dab25eefc17d1642fb3653b969acecc6344ee9c44ef18b07d5109b3264d8ece2b5a26a366

memory/6784-5081-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

memory/6784-5136-0x0000027FAF230000-0x0000027FAF596000-memory.dmp

memory/2452-5137-0x000001A59B060000-0x000001A59B070000-memory.dmp

memory/6784-5143-0x0000027F96550000-0x0000027F96551000-memory.dmp

memory/6784-5149-0x0000027FAF5A0000-0x0000027FAF71C000-memory.dmp

memory/6784-5155-0x0000027F965A0000-0x0000027F965BA000-memory.dmp

memory/6784-5156-0x0000027F96610000-0x0000027F96632000-memory.dmp

memory/5588-5173-0x0000022868CB0000-0x0000022868D02000-memory.dmp

memory/5588-5175-0x00007FFD07EA0000-0x00007FFD08961000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

MD5 2afb72ff4eb694325bc55e2b0b2d5592
SHA1 ba1d4f70eaa44ce0e1856b9b43487279286f76c9
SHA256 41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e
SHA512 5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

C:\Users\Admin\AppData\Local\Temp\jxfj4jpx.exe

MD5 d97d903c0a3bddd1178e3e03125afe3d
SHA1 b63b5a000ccb219826fa1526687816703f4fcd87
SHA256 467371d4ef420242c578bd15fc8ba36d945e90b6cb3fec1f75d37f3cd5af3815
SHA512 113fe0a4f8d7b7fc69d9580608f471860a4b01282e2d84126d7db3107b38ab2315ee134789a4ee14eb2bba3772a06a6f1e88961e1a9642cca282e926372ad851

C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

MD5 babb847fc7125748264243a0a5dd9158
SHA1 78430deab4dfd87b398d549baf8e94e8e0dd734e
SHA256 bd331dd781d8aed921b0be562ddec309400f0f4731d0fd0b0e8c33b0584650cd
SHA512 2a452da179298555c6f661cb0446a3ec2357a99281acae6f1dbe0cc883da0c2f4b1157affb31c12ec4f6f476075f3cac975ec6e3a29af46d2e9f4afbd09c8755

C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

MD5 96cbdd0c761ad32e9d5822743665fe27
SHA1 c0a914d4aa6729fb8206220f84695d2f8f3a82ce
SHA256 cc3f60b37fec578938ee12f11a6357c45e5a97bd3bccdeb8e5efb90b1649a50b
SHA512 4dde7e5fb64ee253e07a40aaf8cbc4ddaaeeeafc6aeb33e96bc76c8110f26e2c3809a47266cb7503cbc981c6cb895f3eaae8743d07d6434997684e8d6a3d8eb0

C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

MD5 4d7d8dc78eed50395016b872bb421fc4
SHA1 e546044133dfdc426fd4901e80cf0dea1d1d7ab7
SHA256 b20d4193fdf0fe9df463c9573791b9b8a79056812bb1bba2db1cf00dd2df4719
SHA512 6c0991c3902645a513bdee7288ad30c34e33fca69e2f2f45c07711f7b2fdc341336d6f07652e0d9e40fbac39c35940eda0715e19ef9dfa552a46e09e23f56fdf

C:\Program Files\ReasonLabs\VPN\rsJSON.dll

MD5 8528610b4650860d253ad1d5854597cb
SHA1 def3dc107616a2fe332cbd2bf5c8ce713e0e76a1
SHA256 727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4
SHA512 dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

C:\Users\Admin\AppData\Local\Temp\nskF34C.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\7299a347\b78307ca_cd65da01\rsLogger.DLL

MD5 148dc2ce0edbf59f10ca54ef105354c3
SHA1 153457a9247c98a50d08ca89fad177090249d358
SHA256 efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4
SHA512 10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

C:\Users\Admin\AppData\Local\Temp\nskF34C.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\1ee94433\50f9fdc9_cd65da01\rsAtom.DLL

MD5 3ae6f007b30db9507cc775122f9fc1d7
SHA1 ada34eebb84a83964e2d484e8b447dca8214e8b7
SHA256 892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507
SHA512 5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

C:\Users\Admin\AppData\Local\Temp\nskF34C.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\51bc0bf8\b78307ca_cd65da01\rsServiceController.DLL

MD5 8e10c436653b3354707e3e1d8f1d3ca0
SHA1 25027e364ff242cf39de1d93fad86967b9fe55d8
SHA256 2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53
SHA512 9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

C:\Program Files\ReasonLabs\VPN\rsEngine.config

MD5 04be4fc4d204aaad225849c5ab422a95
SHA1 37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91
SHA256 6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446
SHA512 4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

MD5 db3e60d6fe6416cd77607c8b156de86d
SHA1 47a2051fda09c6df7c393d1a13ee4804c7cf2477
SHA256 d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd
SHA512 aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallState

MD5 362ce475f5d1e84641bad999c16727a0
SHA1 6b613c73acb58d259c6379bd820cca6f785cc812
SHA256 1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA512 7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

MD5 d13bddae18c3ee69e044ccf845e92116
SHA1 31129f1e8074a4259f38641d4f74f02ca980ec60
SHA256 1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0
SHA512 70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

MD5 afb68bc4ae0b7040878a0b0c2a5177de
SHA1 ed4cac2f19b504a8fe27ad05805dd03aa552654e
SHA256 76e6f11076cc48eb453abbdbd616c1c46f280d2b4c521c906adf12bb3129067b
SHA512 ebc4c1f2da977d359791859495f9e37b05491e47d39e88a001cb6f2b7b1836b1470b6904c026142c2b1b4fe835560017641d6810a7e8a5c89766e55dd26e8c43

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

MD5 10a8f2f82452e5aaf2484d7230ec5758
SHA1 1bf814ddace7c3915547c2085f14e361bbd91959
SHA256 97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b
SHA512 6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

MD5 4646f4d652ddc1e8f4d63c1ec4cdf35f
SHA1 2c4d4ff5317934d4b557bc324ebf3398aa8fc613
SHA256 828fd877f3c53d6d9a73ab624f6fd3a60f62201e17e62f97b35e281a4f92c61d
SHA512 55cf0d0ccb10c6b380e2b1e393a3028663dd469b0bfb8b6f81f08db8fa35c42a55f10e4233fde9b9d19c03e5110b4bc40f3d5b1c954d83bf1f02f0560f8441fc

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\System.Data.SQLite.dll

MD5 42e6e9081edd7a49c4103292725b68e2
SHA1 62f73c44ee1aba1f7684b684108fe3b0332e6e66
SHA256 788450452b0459c83e13da4dd32f6217bfb53a83bd5f04b539000b61d24fd049
SHA512 99eab89bf6297fda549c0b882c097cd4b59fd0595ff2d0c40d1767f66fa45172ca5b9693dbf650d7103353f1e1fb8e5259bbcde3dfa286dee098533a4a776e8b

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\System.ValueTuple.dll

MD5 29e6ae1a1af7fc943752a097ec59c59c
SHA1 6d5c910c0b9a3e0876e2e2bbbce9b663f9edc436
SHA256 cc9bf1feeab1d76221508d6cc98e8bdc1603d5c600c5ed09c108e31b8bd3a6a2
SHA512 cc6d55e5fd23c89d73ecbddfa92c102f47f8fb93f2f6a41d2e79708e6a8d7c13c1961dcd07810db3135d2f8ddcbf3535fb3ea3d1fc31c617ca9b10f6b867f9a5

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\rsTime.dll

MD5 f1e592a7636df187e89b2139922c609e
SHA1 301a6e257fefaa69e41c590785222f74fdb344f8
SHA256 13ca35c619e64a912b972eb89433087cb5b44e947b22a392972d99084f214041
SHA512 e5d79a08ea2df8d7df0ad94362fda692a9b91f6eda1e769bc20088ef3c0799aeabf7eb8bd64b4813716962175e6e178b803124dc11cc7c451b6da7f406f38815

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\rsDatabase.dll

MD5 d9cd9c6486fa53d41949420d429c59f4
SHA1 784ac204d01b442eae48d732e2f8c901346bc310
SHA256 c82540979384cdcadf878a2bd5cbe70b79c279182e2896dbdf6999ba88a342c1
SHA512 b37e365b233727b8eb11eb0520091d2ecd631d43a5969eaeb9120ebd9bef68c224e1891dd3bac5ec51feb2aee6bec4b0736f90571b33f4af59e73ddee7d1e2ad

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\b25a3fe7-8b2e-47c4-96bf-5a414b8bef80.tmp.ico

MD5 f24013e3882e90cf21d9b9fa90ea75dc
SHA1 5e4fee12ab5d6ce0d69e4bab097a920c2fc0f668
SHA256 a396cfc9038a81ed52465b423c8684eec93e858c6fbbb926ba52f7024b25bc72
SHA512 ff0cf22f9f6342747493f2fa2e47c725b16f2b235a3e3942f3598e1105daf27940ef6586fbf5d901628f84b20703b89ba759a08d7f2a2cfa4763c46db233bfd2

C:\Program Files\ReasonLabs\DNS\Uninstall.exe

MD5 51c0de01da9a26c8fa2e5c736a719c95
SHA1 87796aa35e391f62dc5728844301a0026c6e19af
SHA256 4cd9e781ec6354d4b55e2b60697c6bffd2b95ed007577f1479bdb75f09cc5ee8
SHA512 7f97f95b685cfa990c7fd5699e399529e35339c0e07e948edd6394648b0ba315935cbf3d89291479777bade84db58ec3ec8740f80a4aeafe8c5b681e666f73e7

C:\Program Files\ReasonLabs\DNS\uninstall.ico

MD5 beae67e827c1c0edaa3c93af485bfcc5
SHA1 ccbbfabb2018cd3fa43ad03927bfb96c47536df1
SHA256 d47b3ddddc6aadd7d31c63f41c7a91c91e66cbeae4c02dac60a8e991112d70c5
SHA512 29b8d46c6f0c8ddb20cb90e0d7bd2f1a9d9970db9d9594f32b9997de708b0b1ae749ce043e73c77315e8801fd9ea239596e6b891ef4555535bac3fe00df04b92

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\0ef90b5d-f3fa-4170-8e12-c037805bacaa.tmp

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\ad1b2baa\dc8bd6ed_cd65da01\rsLogger.DLL

MD5 34d1913338ee6535fc54d110d207aa45
SHA1 9b64cfc2afc31047b3fae98e5bd37d819c589a98
SHA256 b4bb345955ad8fef66abb6dfa622889ff1a21d122d4536b0d78487eb06c3b916
SHA512 f9d563025859922d324545d0d61880e8507db9ac530bbac84ff783af14289df3363dd6100bb90ae0ba43e16e1ac0026ecdc2c7976e883364e07d781c2c610d85

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\fa60edc4\a65fafed_cd65da01\rsAtom.DLL

MD5 574c235d2c8c863142a416fca77b56ef
SHA1 94243446bf206e0016c9a2be3e743ad81578855d
SHA256 111d7b95ed7deab9e2ee9ba05f719fefe5907b58e7ffb7d9e76da96e266b83c6
SHA512 6a280abdfc09b7c66f7e8ac88215649eb8991eb84b4a4dcffc3016ead403f9b023c880b9b3fe516f8e863f954e4cf54a4a6400695ace4274f12c670485f47a9f

C:\Users\Admin\AppData\Local\Temp\nsaBD92.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\ad93b15d\dc8bd6ed_cd65da01\rsServiceController.DLL

MD5 dffac5c6540238457d747461f944f282
SHA1 11d5f809bb972c0693eea5f1b6227cb8f8dab5dd
SHA256 64cdd30df31260b1a6ac650446256ca5a411b2894633525e3ba04beecce6db76
SHA512 8ac2a74d2b13f0d8ebf4b4f1399f9979bcb4c2f15271c906c61de66c102e5e8ca3f38856208ed24f7ea93c79fe53d7a5d691d5182accaaf8efdcb6439cab2637