zgrat | e8e350c2476f187d80de266cbccc5df2d77f6ec495574fb318d6f0a4de4a6746

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

41KB
MD5

f873ab45d3c2f94b91c0902ed401c9a6
SHA1

f91d869bb27111dbdc0949c9c1ff66cdfc5891f9
SHA256

e8e350c2476f187d80de266cbccc5df2d77f6ec495574fb318d6f0a4de4a6746
SHA512

4876937b7614bf9e42b0ad70d0cbb0844d7bd54eb56e634bd9d7e8d4339212bc448adede8a6ac2d5c09eefd4488aee5d6c8932cdee5c2672e49f9668350ed4f0
SSDEEP

384:zT62SsZeTfpchFYNp8s91UYTyxsjKjnm2EEB42EEBbod2laHYz7u5rjOTFY0ccMv:P6RsCxchONhUbNoJpuZQimVA72TEu

Score

10^/10

zgrat discovery persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023f36-1717.dat	family_zgrat_v1
behavioral1/files/0x0007000000023f49-1709.dat	family_zgrat_v1
behavioral1/memory/6172-2328-0x0000024FE7BF0000-0x0000024FE7C44000-memory.dmp	family_zgrat_v1
behavioral1/memory/6172-2370-0x0000024FE8990000-0x0000024FE8BB2000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000023ffc-3205.dat	family_zgrat_v1
behavioral1/memory/5416-3861-0x00000232F2900000-0x00000232F2954000-memory.dmp	family_zgrat_v1
behavioral1/memory/5416-3889-0x00000232F2E80000-0x00000232F308E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	FrostWire.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	frostwire-6.13.1.windows.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FrostWire On Startup.lnk	FrostWire.exe

Executes dropped EXE 46 IoCs

pid	Process
3672	frostwire-6.13.1.windows.exe
5492	frostwire-6.13.1.windows.tmp
1084	frostwire-6.13.1.windows.exe
5168	prod0.exe
2444	bpnfmg50.exe
3400	RAVEndPointProtection-installer.exe
4080	rsSyncSvc.exe
3948	rsSyncSvc.exe
5564	FrostWire.exe
6448	rsWSC.exe
6536	rsWSC.exe
6272	rsClientSvc.exe
6208	rsClientSvc.exe
6172	rsEngineSvc.exe
3644	rsEngineSvc.exe
2752	obxsubs4.exe
2352	RAVVPN-installer.exe
3048	rsVPNClientSvc.exe
768	rsVPNClientSvc.exe
5416	rsVPNSvc.exe
6964	rsVPNSvc.exe
6956	rsHelper.exe
7164	VPN.exe
6936	rsAppUI.exe
2944	rsAppUI.exe
1152	rsAppUI.exe
3584	rsAppUI.exe
5624	rsAppUI.exe
1716	EPP.exe
1568	rsAppUI.exe
7044	juf2pymx.exe
3920	SaferWeb-installer.exe
3200	rsAppUI.exe
704	rsAppUI.exe
1760	rsAppUI.exe
4512	rsAppUI.exe
7224	rsDNSClientSvc.exe
7396	rsDNSClientSvc.exe
7528	rsDNSResolver.exe
7796	rsDNSResolver.exe
2956	rsDNSResolver.exe
3136	rsDNSSvc.exe
7300	rsDNSSvc.exe
7704	rsLitmus.A.exe
2696	DNS.exe
8100	rsAppUI.exe

Loads dropped DLL 64 IoCs

pid	Process
5492	frostwire-6.13.1.windows.tmp
5492	frostwire-6.13.1.windows.tmp
5492	frostwire-6.13.1.windows.tmp
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
1084	frostwire-6.13.1.windows.exe
2444	bpnfmg50.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
2752	obxsubs4.exe
3644	rsEngineSvc.exe
5564	FrostWire.exe
2352	RAVVPN-installer.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
6964	rsVPNSvc.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
2944	rsAppUI.exe
1152	rsAppUI.exe
3584	rsAppUI.exe
3584	rsAppUI.exe
3584	rsAppUI.exe
3584	rsAppUI.exe
3584	rsAppUI.exe
5624	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
7044	juf2pymx.exe
3200	rsAppUI.exe
704	rsAppUI.exe
1760	rsAppUI.exe
3200	rsAppUI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D5824721AFCD338CB437BB54334D6F98	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D5824721AFCD338CB437BB54334D6F98	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\FrostWire 6\jre\legal\jdk.crypto.cryptoki\ASSEMBLY_EXCEPTION	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fi.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll	frostwire-6.13.1.windows.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.rmi\LICENSE	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Data.Common.dll	RAVVPN-installer.exe
File created	C:\Program Files\FrostWire 6\jre\legal\jdk.crypto.ec\ADDITIONAL_LICENSE_INFO	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sl.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Security.Cryptography.Algorithms.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Diagnostics.Tools.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Linq.Expressions.dll	SaferWeb-installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-timezone-l1-1-0.dll	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsDatabase.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Globalization.dll	RAVVPN-installer.exe
File created	C:\Program Files\FrostWire 6\jre\conf\net.properties	frostwire-6.13.1.windows.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog	rsEngineSvc.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Runtime.Handles.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Security.SecureString.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Runtime.Serialization.Json.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Reflection.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Xml.XDocument.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\openvpn.exe	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsBuild.Runtime.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsHelper.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Linq.Queryable.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog	rsWSC.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.transaction.xa\LICENSE	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\VPN\pl\Microsoft.Win32.TaskScheduler.resources.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Collections.dll	SaferWeb-installer.exe
File created	C:\Program Files\FrostWire 6\jre\legal\java.security.sasl\LICENSE	frostwire-6.13.1.windows.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.ComponentModel.TypeConverter.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Globalization.Calendars.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\legacy\amd64\tapinstall.exe	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.ObjectModel.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsServiceController.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\ru\Microsoft.Win32.TaskScheduler.resources.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.IsolatedStorage.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsEngine.Loggers.Application.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.DriveInfo.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\legacy\i386\tap0901.sys	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.StackTrace.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\rsVPNSvc.Contract.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Security.AccessControl.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Threading.Tasks.Parallel.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.FileSystem.Primitives.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\lists\smart_threat_intelligence_feeds.txt	rsDNSSvc.exe
File created	C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Reflection.Extensions.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Diagnostics.FileVersionInfo.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\Microsoft.Win32.SystemEvents.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Diagnostics.Debug.dll	SaferWeb-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.CompilerServices.VisualC.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Dynamic.Runtime.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe	SaferWeb-installer.exe
File created	C:\Program Files\FrostWire 6\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll	frostwire-6.13.1.windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FrostWire.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	FrostWire.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	frostwire-6.13.1.windows.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	frostwire-6.13.1.windows.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsVPNSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEngineSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	FrostWire.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_CLASSES\MAGNET	FrostWire.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\DefaultIcon	FrostWire.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\URL Protocol	FrostWire.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2860750803-256193626-1801997576-1000\{45B911DE-2C8A-4F0F-8B58-BCA47FCC2E67}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\DefaultIcon\ = "C:\\Program Files\\FrostWire 6\\FrostWire.exe,0"	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\open	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\command\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\" \"%1\""	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\",0"	FrostWire.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon\ = "\"C:\\Program Files\\FrostWire 6\\FrostWire.exe\",0"	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\ = "Torrent File"	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\command	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet	FrostWire.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\shell\open	FrostWire.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\ = "URL:Magnet Protocol"	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\DefaultIcon	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\edit\ = "Edit Torrent File"	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File	frostwire-6.13.1.windows.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\shell\open\command	FrostWire.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\shell	FrostWire.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet\shell\open\command	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\ = "Torrent File"	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Torrent File\shell\ = "open"	frostwire-6.13.1.windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\magnet\ = "URL:Magnet Protocol"	FrostWire.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	rsWSC.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 905247.crdownload:SmartScreen	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3252	msedge.exe
3252	msedge.exe
2184	msedge.exe
2184	msedge.exe
3100	identity_helper.exe
3100	identity_helper.exe
3844	msedge.exe
3844	msedge.exe
4548	msedge.exe
4548	msedge.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
3400	RAVEndPointProtection-installer.exe
6208	rsClientSvc.exe
6208	rsClientSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
2600	tskill.exe
2600	tskill.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe
3644	rsEngineSvc.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
6664	fltmc.exe
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4108	wmic.exe
Token: SeSecurityPrivilege	4108	wmic.exe
Token: SeTakeOwnershipPrivilege	4108	wmic.exe
Token: SeLoadDriverPrivilege	4108	wmic.exe
Token: SeSystemProfilePrivilege	4108	wmic.exe
Token: SeSystemtimePrivilege	4108	wmic.exe
Token: SeProfSingleProcessPrivilege	4108	wmic.exe
Token: SeIncBasePriorityPrivilege	4108	wmic.exe
Token: SeCreatePagefilePrivilege	4108	wmic.exe
Token: SeBackupPrivilege	4108	wmic.exe
Token: SeRestorePrivilege	4108	wmic.exe
Token: SeShutdownPrivilege	4108	wmic.exe
Token: SeDebugPrivilege	4108	wmic.exe
Token: SeSystemEnvironmentPrivilege	4108	wmic.exe
Token: SeRemoteShutdownPrivilege	4108	wmic.exe
Token: SeUndockPrivilege	4108	wmic.exe
Token: SeManageVolumePrivilege	4108	wmic.exe
Token: 33	4108	wmic.exe
Token: 34	4108	wmic.exe
Token: 35	4108	wmic.exe
Token: 36	4108	wmic.exe
Token: SeIncreaseQuotaPrivilege	4108	wmic.exe
Token: SeSecurityPrivilege	4108	wmic.exe
Token: SeTakeOwnershipPrivilege	4108	wmic.exe
Token: SeLoadDriverPrivilege	4108	wmic.exe
Token: SeSystemProfilePrivilege	4108	wmic.exe
Token: SeSystemtimePrivilege	4108	wmic.exe
Token: SeProfSingleProcessPrivilege	4108	wmic.exe
Token: SeIncBasePriorityPrivilege	4108	wmic.exe
Token: SeCreatePagefilePrivilege	4108	wmic.exe
Token: SeBackupPrivilege	4108	wmic.exe
Token: SeRestorePrivilege	4108	wmic.exe
Token: SeShutdownPrivilege	4108	wmic.exe
Token: SeDebugPrivilege	4108	wmic.exe
Token: SeSystemEnvironmentPrivilege	4108	wmic.exe
Token: SeRemoteShutdownPrivilege	4108	wmic.exe
Token: SeUndockPrivilege	4108	wmic.exe
Token: SeManageVolumePrivilege	4108	wmic.exe
Token: 33	4108	wmic.exe
Token: 34	4108	wmic.exe
Token: 35	4108	wmic.exe
Token: 36	4108	wmic.exe
Token: SeIncreaseQuotaPrivilege	5388	wmic.exe
Token: SeSecurityPrivilege	5388	wmic.exe
Token: SeTakeOwnershipPrivilege	5388	wmic.exe
Token: SeLoadDriverPrivilege	5388	wmic.exe
Token: SeSystemProfilePrivilege	5388	wmic.exe
Token: SeSystemtimePrivilege	5388	wmic.exe
Token: SeProfSingleProcessPrivilege	5388	wmic.exe
Token: SeIncBasePriorityPrivilege	5388	wmic.exe
Token: SeCreatePagefilePrivilege	5388	wmic.exe
Token: SeBackupPrivilege	5388	wmic.exe
Token: SeRestorePrivilege	5388	wmic.exe
Token: SeShutdownPrivilege	5388	wmic.exe
Token: SeDebugPrivilege	5388	wmic.exe
Token: SeSystemEnvironmentPrivilege	5388	wmic.exe
Token: SeRemoteShutdownPrivilege	5388	wmic.exe
Token: SeUndockPrivilege	5388	wmic.exe
Token: SeManageVolumePrivilege	5388	wmic.exe
Token: 33	5388	wmic.exe
Token: 34	5388	wmic.exe
Token: 35	5388	wmic.exe
Token: 36	5388	wmic.exe
Token: SeIncreaseQuotaPrivilege	5388	wmic.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
5492	frostwire-6.13.1.windows.tmp
1084	frostwire-6.13.1.windows.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
2184	msedge.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
2184	msedge.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
6936	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe
1568	rsAppUI.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5492	frostwire-6.13.1.windows.tmp
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe
5564	FrostWire.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 436	2184	msedge.exe	83
PID 2184 wrote to memory of 436	2184	msedge.exe	83
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 1156	2184	msedge.exe	84
PID 2184 wrote to memory of 3252	2184	msedge.exe	85
PID 2184 wrote to memory of 3252	2184	msedge.exe	85
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86
PID 2184 wrote to memory of 4052	2184	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2df146f8,0x7ffa2df14708,0x7ffa2df14718
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7152 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,2280466962406069994,7363771263818060453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Users\Admin\Downloads\frostwire-6.13.1.windows.exe
  "C:\Users\Admin\Downloads\frostwire-6.13.1.windows.exe"
  2⤵
  - Executes dropped EXE
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\is-7VAJG.tmp\frostwire-6.13.1.windows.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7VAJG.tmp\frostwire-6.13.1.windows.tmp" /SL5="$9018E,1722489,926208,C:\Users\Admin\Downloads\frostwire-6.13.1.windows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\frostwire-6.13.1.windows.exe
      "C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\frostwire-6.13.1.windows.exe" /S
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1084
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process where name='fwplayer.exe' delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process where name='telluride.exe' delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process where name='FrostWire.exe' delete
        5⤵
        
        PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\prod0.exe" -ip:"dui=b14b7d45-cf6a-4517-be56-622a70b8ef33&dit=20240506011453&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100&b=&se=true" -vp:"dui=b14b7d45-cf6a-4517-be56-622a70b8ef33&dit=20240506011453&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100&oip=26&ptl=7&dta=true" -dp:"dui=b14b7d45-cf6a-4517-be56-622a70b8ef33&dit=20240506011453&oc=ZB_RAV_Cross_Tri_NCB&p=89fe&a=100" -i -v -d -se=true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5168
    - - C:\Users\Admin\AppData\Local\Temp\bpnfmg50.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bpnfmg50.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2444
      - C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\bpnfmg50.exe" /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3400
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        Adds Run key to start application
        
        PID:4672
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:5268
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:6256
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        
        PID:6408
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        Suspicious behavior: LoadsDriver
        
        PID:6664
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        7⤵
        
        PID:6860
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies system certificate store
        
        PID:6448
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:6272
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies system certificate store
        
        PID:6172
    - - C:\Users\Admin\AppData\Local\Temp\obxsubs4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\obxsubs4.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\RAVVPN-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\obxsubs4.exe" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2352
        
        C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:5416
    - - C:\Users\Admin\AppData\Local\Temp\juf2pymx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\juf2pymx.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\SaferWeb-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\juf2pymx.exe" /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3920
        
        \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
        7⤵
        Adds Run key to start application
        
        PID:3680
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:4068
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:6744
        
        C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:7224
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
        7⤵
        Executes dropped EXE
        
        PID:7528
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
        7⤵
        Executes dropped EXE
        
        PID:7796
        
        C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:3136
  - - C:\Program Files\FrostWire 6\FrostWire.exe
      "C:\Program Files\FrostWire 6\FrostWire.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:5564
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /C tskill fwplayer
        5⤵
        
        PID:5748
      - C:\Windows\system32\tskill.exe
        
        tskill fwplayer
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:3948

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6536

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6208

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3644
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  PID:6956
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:1716
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1568
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2224 --field-trial-handle=2228,i,17051730491944347771,10830846478565076129,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3200
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2504 --field-trial-handle=2228,i,17051730491944347771,10830846478565076129,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1760
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2800 --field-trial-handle=2228,i,17051730491944347771,10830846478565076129,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:704
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3864 --field-trial-handle=2228,i,17051730491944347771,10830846478565076129,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4512
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  - Executes dropped EXE
  PID:7704

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:768

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6964
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:7164
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6936
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2268 --field-trial-handle=2272,i,13897633419986868392,12093214668600591665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3584
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2520 --field-trial-handle=2272,i,13897633419986868392,12093214668600591665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2944
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2748 --field-trial-handle=2272,i,13897633419986868392,12093214668600591665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1152
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3836 --field-trial-handle=2272,i,13897633419986868392,12093214668600591665,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5624

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7004

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7396

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4840

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7300
- \??\c:\program files\reasonlabs\DNS\ui\DNS.exe
  "c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:2696
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
    3⤵
    - Executes dropped EXE
    PID:8100
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2300 --field-trial-handle=2304,i,8655675941224268201,5280026814190370223,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:6720
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2652 --field-trial-handle=2304,i,8655675941224268201,5280026814190370223,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:3088
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2792 --field-trial-handle=2304,i,8655675941224268201,5280026814190370223,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:7268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\FrostWire 6\FrostWire.exe

Filesize
527KB

MD5
3548534fe1326cc27f9481195ee43056

SHA1
7ab036e17c59e7513894dc49288f7bbb55a85bb7

SHA256
28124e3395fa42f326fe5b3f59e1f50568adb729ea1c7c211c07e0b52441c9b8

SHA512
e58cb434f410f40d98f94ce3dc196452b6e7d4d68d5057990b7ee3b37a80992c32b417b402e35ed88228d0626538777ab7cfa0a22581fbb951a353b14f3ff6f2

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\ADDITIONAL_LICENSE_INFO

Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\ASSEMBLY_EXCEPTION

Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Program Files\FrostWire 6\jre\legal\java.logging\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
248B

MD5
6002495610dcf0b794670f59c4aa44c6

SHA1
f521313456e9d7cf8302b8235f7ccb1c2266758f

SHA256
982a41364a7567fe149d4d720749927b2295f1f617df3eba4f52a15c7a4829ad

SHA512
dfc2e0184436ffe8fb80a6e0a27378a8085c3aa096bbf0402a39fb766775624b3f1041845cf772d3647e4e4cde34a45500891a05642e52bae4a397bd4f323d67

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\DNS\ui\DNS.exe

Filesize
430KB

MD5
0969e0a4d0930b3863c7a5ae4a44c199

SHA1
8c6c08d3f88e4391179fa58a552f799038269278

SHA256
e6c522522579b4c3afe405301febad9a2cb65f63ee7800d5dd49dead7b865507

SHA512
c8f47598bb08cc605064edc8f0760994ed2415a32fd28f534773f8120e684ac14c4633d3650c29f7320a9dfe05bf53136c5f83e2fc977d040da17e89eeef3480

Download Submit
C:\Program Files\ReasonLabs\DNS\uninstall.ico

Filesize
109KB

MD5
beae67e827c1c0edaa3c93af485bfcc5

SHA1
ccbbfabb2018cd3fa43ad03927bfb96c47536df1

SHA256
d47b3ddddc6aadd7d31c63f41c7a91c91e66cbeae4c02dac60a8e991112d70c5

SHA512
29b8d46c6f0c8ddb20cb90e0d7bd2f1a9d9970db9d9594f32b9997de708b0b1ae749ce043e73c77315e8801fd9ea239596e6b891ef4555535bac3fe00df04b92

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
310KB

MD5
c3b43e56db33516751b66ee531a162c9

SHA1
6b8a1680e9485060377750f79bc681e17a3cb72a

SHA256
040b2e0dea718124b36d76e1d8f591ff0dbca22f7fb11f52a2e6424218f4ecad

SHA512
4724f2f30e997f91893aabfa8bf1b5938c329927080e4cc72b81b4bb6db06fe35dae60d428d57355f03c46dd29f15db46ad2b1036247c0dcde688183ef11313a

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
6d27fe0704da042cdf69efa4fb7e4ec4

SHA1
48f44cf5fe655d7ef2eafbd43e8d52828f751f05

SHA256
0f74ef17c3170d6c48f442d8c81923185f3d54cb04158a4da78495c2ec31863e

SHA512
2c3587acab4461568ac746b4cdf36283d4cb2abe09fc7c085615384e92f813c28cf4fcb4f39ec67860eac9c0e4a5f15021aee712d21a682f8df654968ed40ea3

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
327KB

MD5
9d3d8cd27b28bf9f8b592e066b9a0a06

SHA1
9565df4bf2306900599ea291d9e938892fe2c43a

SHA256
97fe82b6ce5bc3ad96c8c5e242c86396accdf0f78ffc155ebc05f950597cdbd6

SHA512
acefc1552d16be14def7043b21ec026133aabd56f90800e131733c5b0c78316a4d9dc37d6b3093e537ce1974219154e8bd32204127a4ab4d4cd5f3041c6a8729

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
5KB

MD5
be90740a7ccd5651c445cfb4bd162cf9

SHA1
218be6423b6b5b1fbce9f93d02461c7ed2b33987

SHA256
44fa685d7b4868f94c9c51465158ea029cd1a4ceb5bfa918aa7dec2c528016e4

SHA512
a26869c152ed8df57b72f8261d33b909fb4d87d93dc0061bf010b69bad7b8c90c2f40a1338806c03d669b011c0cb5bbfcd429b7cd993df7d3229002becb658ad

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
defbb0a0d6b7718a9b0eaf5e7894a4b0

SHA1
0495a5eccd8690fac8810178117bf86ea366c8c3

SHA256
c3d2f7e0ad6fd26578595fb3f7c2b202ab6fba595d32dfa5c764922145db0788

SHA512
55dab7ae748a668a2bb57deb6fbff07e6056d97b6f88850890610ac135b8839d3c61f4dc505d3f32cc09a3ff2ce80ce663d0c830f9f399367dc03c92ea7ca89a

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

Filesize
279KB

MD5
babb847fc7125748264243a0a5dd9158

SHA1
78430deab4dfd87b398d549baf8e94e8e0dd734e

SHA256
bd331dd781d8aed921b0be562ddec309400f0f4731d0fd0b0e8c33b0584650cd

SHA512
2a452da179298555c6f661cb0446a3ec2357a99281acae6f1dbe0cc883da0c2f4b1157affb31c12ec4f6f476075f3cac975ec6e3a29af46d2e9f4afbd09c8755

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

Filesize
325KB

MD5
96cbdd0c761ad32e9d5822743665fe27

SHA1
c0a914d4aa6729fb8206220f84695d2f8f3a82ce

SHA256
cc3f60b37fec578938ee12f11a6357c45e5a97bd3bccdeb8e5efb90b1649a50b

SHA512
4dde7e5fb64ee253e07a40aaf8cbc4ddaaeeeafc6aeb33e96bc76c8110f26e2c3809a47266cb7503cbc981c6cb895f3eaae8743d07d6434997684e8d6a3d8eb0

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config

Filesize
4KB

MD5
04be4fc4d204aaad225849c5ab422a95

SHA1
37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91

SHA256
6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446

SHA512
4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
388B

MD5
7be55b43adf34af56507a773938c3053

SHA1
682bc8ca35da4672324fc4105adb3dd0f29e6f9e

SHA256
a9236a11ddff879af551ed9cb5298bf2e3bf8318030c7607bbb931ebf2e6c16c

SHA512
d6cd79eff0cf4c2df014166d4000c123de50323ca6adee59351b68f3e78bca1a9baf8423d2111b5bb145abe086c1c6e0e444cdd27a6cd462b453f978e2954cf3

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

Filesize
430KB

MD5
4d7d8dc78eed50395016b872bb421fc4

SHA1
e546044133dfdc426fd4901e80cf0dea1d1d7ab7

SHA256
b20d4193fdf0fe9df463c9573791b9b8a79056812bb1bba2db1cf00dd2df4719

SHA512
6c0991c3902645a513bdee7288ad30c34e33fca69e2f2f45c07711f7b2fdc341336d6f07652e0d9e40fbac39c35940eda0715e19ef9dfa552a46e09e23f56fdf

Download Submit
C:\ProgramData\ReasonLabs\EPP\Logs\err.1.dat

Filesize
643B

MD5
4786bfc14496258f89306937684d611e

SHA1
5db00893917b7ffdb75a0784988540b7ddabb88b

SHA256
607f8c8d635bd2842e1e6fd245ee3c592d8191c31b1ef18546a75c8082b81aaf

SHA512
1204dd7f5037db2f68d8f6d2cf962437f8ec586dd4717ce8ea9ccaa71461a8cfd2f4fed58db3f0c6cb02883301ed1bf2e5fe209483f7676f0e0168a9ae7e342e

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.1MB

MD5
d13bddae18c3ee69e044ccf845e92116

SHA1
31129f1e8074a4259f38641d4f74f02ca980ec60

SHA256
1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0

SHA512
70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729

Filesize
1KB

MD5
ac6f1b6226236fc12f09e227e4114b92

SHA1
04899b770b765183ee1c8e44a06c1c29e49c54ba

SHA256
6287e48827dac836850bf6470d7bbb0c84baed2567bf71a97e55712a05c87b50

SHA512
f037d8eb1539095dffc20bc25d11da23f157edb77a146163522a066efde9e51ad5f6c70824f8c899d88786e42e438a31500e96312303c80eebe10044f64110d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
034ee7b03040d7b9a5b6159b449cc9f6

SHA1
ab9536ca75875d7cccb59775eadf7b6609e7ec9a

SHA256
c6f764e840661e9ed31e318d026f88b1fc758bcd7734c54dcac6283adedd821b

SHA512
88b711d0092d355db907b56377354dc6f84b17cc9b6365c6b9ca65ee6a7b8e49ee5e0345c1f7b9ebb9f0a3b8847e0962053000f9331939e60dfab0727b7f9644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
37KB

MD5
ad41c0bf481fc026fb5dd7bc5d42a587

SHA1
8d76e29ea2a0756681e4a018d06b941fc690c4fd

SHA256
2205a91208045c5071d38404e02305882d7920beeb6ac0aa56f52e63bd30eae8

SHA512
649bd4b3c4858566d6862a276d595b75b4ac8489559df676cf4275edfc6073013b9880dd59c12a43aba9c878542bb232e13188c9c74d46092cbba31dc49d63d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
1.1MB

MD5
e1fa400b88074ef1538b045e991a80ae

SHA1
f78a27e18dcd8d4588eca704c9fa65c56dafe8ff

SHA256
12a8bf9b83035a813a30ff45cb2fcc12cca4583901374e09711da33d8dc36ed7

SHA512
41412a8681e481b5969dbd47fd5a03f873b99b5da938d8d5def8ffaf317c08ca73ab52d07643ae3dd07db6f65d6a3b61ad04c003f29f98c812f782f7dbc34314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
29KB

MD5
75207c58a71cad61c6e4d809b70f9ff4

SHA1
4486665d881b29c4e50237031cd7993b270430ba

SHA256
b8a097432b7be8e8b10fabf46cfca706f8faf4776b18741ce260b24d4f2cd7f6

SHA512
72d1f8c644cc0630f67296db64818a9021f0949b926654190fe3136d5b0a22a0f42022f3c945e25d0da9560e9328bee145751a45c82c3aef27d5c3df0e1d4d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
20KB

MD5
b6c8122025aff891940d1d5e1ab95fce

SHA1
a0c7ca41d0922d085c358f5dde81ae3e85a8c9c4

SHA256
9954c64c68000f615e5066bc255eced1195d1f8b7dbc715f9062ddf9f147e87e

SHA512
e62a37b55b6b8d95c24fb624105ff6ff72f118e31760d0da1e8df8e8acf627ec6327c26dfa26df8535585877604c7948d2f621ccabc39beec49787e22c302c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
38KB

MD5
0f44a759d489937f1903670833c44a1e

SHA1
a3b5d4d14b294e46864ec6175965a8ddf6a48b3d

SHA256
c1deb0b334bad49c47fd206d65bedd552cbb2ec843153adfc30c4222cf9ee708

SHA512
ebad88c23834c034be9dce1d5d50dcbd74986891e29601fe23977cfba921ec2eb59cf0c453d660b8757f5db3552eb5c3f19bb00c139e6bccd8a70ea676fa4f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
21KB

MD5
fa9c0cc2f6e4ed707cd2a161959b592c

SHA1
a937c3b5f71817d891a8bb89f65f731e80002be7

SHA256
0f1c07c373222e329cdf746566536c0ff8d5a00561c95781fc50d496ae7a62e2

SHA512
dff98b975abc5d1333ccae047c3aefc6df6df6bebc35e2c35dcd0a491cb6f98ec87e86085540ac17861bf06c3bd4191f84adb47dc214e4c714a85230a992e662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
72KB

MD5
3eb93901c87fac55f4cc74264684de3d

SHA1
54f201947b9e65e668a426a3b19adda7e0e959c2

SHA256
3554391dc483e2890ca3b44b223544ce233cfb245af7acd09c22d7472f0396a3

SHA512
29b56673cf38823e923bc60886993ed8028732b36b3b64914cf74d5dd3ba6aa7eb315334a3b7ff52ba893fd146f1f6aad5dbab17fa6cb2e99978f79765e73f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
23KB

MD5
551d58c9d7fe68bee3c35e08be4a2f20

SHA1
4a39d8c5df523a65bc31ea0f2268ddd84af55475

SHA256
30ae1a0df0b29e92e33ac79d05668a2f9cb3f71da1da4e2739498a9af79bae4d

SHA512
78d15aa00ec9f9e768f6558a8c349e17d1a53491377a541c58be681d945faefd92202fbb3be910079eadc4b1af1a76dd5dfb99a395987e7f6b635295a4e48879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
74KB

MD5
cb349d6b6be6dd2285e22674a29db0bc

SHA1
79ad40655a3d4ad7a6adc2b4ee9f4f54764e4924

SHA256
03b2e39bfabba648764c5a222eac1c73987c462af47ca6c948390b5cc28b58d4

SHA512
132a819ab0df8595d518e8f5540a04129c0b1ffc3ab0b715e84071b82704913f2083ce20d5586758d6ad9ec5e93f222192945c6786bd7b50c87e7fa8fae7a0d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
16KB

MD5
547758413daeb20b8b4b43035b7c7ca2

SHA1
a37f4ecc9a15998e6c1685da7a7334448069c0ba

SHA256
f18bd955ec7d7aae33e5bb2ff407fc4d810115c787aa57248c11824c18d63e02

SHA512
18c974fd7384b8a40b4e46b714818d46a22b8ce06d0f6d53d5839233753a7930691a4fa615520898910c2f6aac19736c8598c58d9daa6b56e7d9eb4b1bebb6c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
101KB

MD5
dc6222db9bab5034afac9c623ff1bee6

SHA1
a89fc58081fa75fcbc129c3729472a20a285e0ed

SHA256
a8fbf97b8cf9f862a27f8aab39aaaf881d6c0f2cef04419638de91002f00f4aa

SHA512
b38d23ea44ac70a4bcc3aec197d544704c9c0312f262825bff490fe6bae61143e0ff512c93f94d17297b9687273f7929b4739f28f7fff601cb05f2baa8f594e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
56KB

MD5
bc8b4fb5efc99e3fc48b11faf7a028c1

SHA1
840348e6b662e3719544b76d88a35fb91a375ab9

SHA256
202e0b9ebef11dc4ea28dbb2728091308ca79b8438c37bf1d047de36c7d33650

SHA512
6fc4734c44eecf2325e040c3db95fa26901bc46065953ca08aa8c15ec0504cd53798f680d17f98f03ff80ee29996f3085eb488e484e25c71d2f2c05289ded215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
26KB

MD5
ed76b3230fad7ddbc073911373d8b828

SHA1
e03350537c19495628ea3c3827254483b14bcf10

SHA256
c277c9967f04a3483e9142dfcdea2656d7300d00e66f116de284e894d262460b

SHA512
70867212462d893f9212317c551e5265760f5af5fa7f856b38b8d9fdc896fd3c8a89dcb3ce2119a762db0cc38fc2b0fe3d3c1e2ebdf087bf5e7c5833816bff08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
65KB

MD5
14a08198ec7d1eb96d515362293fed36

SHA1
965d78c34637d1bdab6277805faecb6caa959669

SHA256
ca3ea16761b7d443c64cfd99dd1cf8aa84790a25bb4709582935956fe71d014d

SHA512
34acab25b3b994d3bdcdcd0fd64d0dabab4fad67cbf8367bf1dac0463014c2ed539249131cb180a2fb889697c210513747592a7bd76b56d2f75ad208ffc4a5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7a72cbca9edf7f62e31a5fa45661698b

SHA1
2055c1c5f82123aaf2e612b8fabd18ad360e1517

SHA256
0c95a078e5e5154328a5640c846c6bc9bd51b20636132947f3253f14d9bf6a83

SHA512
fe86420621f3213b9848dee640cb541bf9bd48af04fccd4dfa47208ba3e3b103646d68f03e894e0850f60f3a317ec97d27d5f8535ba448759716150d4d099105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
561d956ddb9e1de2bd9c8b3a39defbe7

SHA1
684c7697c82ae308e8967e2a0c75a0bf27982f09

SHA256
b4fc494b1ead1ed5a764fd3505b466dcc01ec2eb7e9ccbe2a9e2cf42a9f5e2aa

SHA512
a665e6781511b624535dec68a0442fa072d9c7d6b0ca3a889d56100ca68df98fc27008dfe3e291a4dfbcd96bb5425da58f89c209ac0b0e250f3a6a1f8517f1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ad34274a4d8e11c102b1a18eda8c7a40

SHA1
f1f3fcd48be489a2378ab7a4d0a8d17b6b9fbeaa

SHA256
1dcae5b4ed381aaeac1f5b0e86f67cb8060131fc3854e383751b3bbd4a2ba91a

SHA512
eb3c7a5db581af21ea9298b18ddfbaeab6beac001af34361c51c939ba787ed7044dc565d68a84619da17d355d33435d5af7dfe0521be28695b45de5afe304499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a56552de9cec5250526d20215ec5941b

SHA1
d3d292289b75fe1dafa42c04dcc1e53d188cfc74

SHA256
04eef6a5bf29618657e89f134649cdfa06ba9d5b304e2b8076e2911888a55ee0

SHA512
ab068a515dc3608575c58ca59759cb437211160f643a87a6445997d0114d3cbe7558448d9d36b9490f76b526978f0d5595c3b884f7932aabbcd744fed0ebaede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cefb67cbe771af220569ade30fbcdf45

SHA1
2cdc344a2475ea18695349f0f14ae6a6d0227d37

SHA256
82bedcdf710020d8766ae88e8d40915ac9d58c730810d5817fd43932983755fe

SHA512
48d605b63d1588b920dddd5d3c99fdca5c3abd334aa7f6e880b7c76193db74b551987b1e001f184e2189a7ead4f11c33a71467798035ae040b8d80b332f9a78c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e1da1f666823fa3843229ced8287f80c

SHA1
dddad6ae1b8d9d044de35004af2b52a238e7e762

SHA256
a8b3f4a85ef775955f867a8c04b4a9774eca0f65b0d601adbba42f5cfe473ff1

SHA512
5aba6b3f47c6985665da7dec84fe54aa8eaf4d7fd7b00cb8c5c3405d3f535894d60e08081557972ad9027c239953eb14407485578ae11d5c7d2adecf48c4f405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3294ace65314025b4b797e17829d7304

SHA1
9dc943aba81692a51024fe765d89ee84b7e33c1a

SHA256
06b3d5c09cac788379eada8bd91f486d24e9d2c89d6ddf77d12b5825f404a67b

SHA512
583c7f7bbf0debd17e2ee940c2772fcd3801763f15ea3fcb1c498ed9c55316846b216c3164fd08be8c0d846aea586ccfe9e4ef596e6675a218f875fb45333cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33649ed27856b061b135ca0ab8760e92

SHA1
d47f9b0102bd01abe9605c31208a417068349309

SHA256
8f9c9c3ab3d577b0a686102a5ad8f03f194d0737df606ae5a3dedff13dc1be2e

SHA512
465ce340dab5b2f1bd7f0245ec01cd70b59af5cf997506c9100422de6134473c326c8b44262aa052a34457acfdda208936e46301351c9ef29068538e7c8e66c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56ad8b0129a40efe384e0796ccea3d5c

SHA1
9622ba928ac971300ceb1e79e613f2035938e059

SHA256
35248ba8a3607c34a07fb6607d1ac543378bf3a5fcb008d2e46de94e50dfeed1

SHA512
4e59d449507ebe48cbbb9b90feb1c465de7c0c4d83c736209beaa346e135676074b973f039799734956d66c04543af37fa2b399db1a58f3a5025b81a20326268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
36c3ae97bf2bb68612993957ea903591

SHA1
3fdba4c6c58ebdb647913eff2b6e12a81604d6a5

SHA256
dc20a7a2aa58d8ed4bc75e315b809d3db18b0c8c6fc05a1ed92b6f7b32b77ba5

SHA512
2c085b30bb8db541d0162f28ea882ab5e9dbbe9a155cb434891b8d233d4141e9dba57fe315cd1fff1aae3df84cc6c7bc5491132aca7582ff222a1aaa1bc89811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578b19.TMP

Filesize
538B

MD5
84a05faeab3f19250eec6d3ed1fb28ab

SHA1
4dcadfa5fed0cbf10f1946169e8571c5b0109ca0

SHA256
f05d53550dc1dd2615f81ab07f521301806b0b01036553a200c768ba6aebb28a

SHA512
b510af96418cec4d1809b22a562c6f144de8532be106ce7e68a26063cb4c2d2d20544e5f5939c0ad35e059f8f09b045065c07dc267e974789476d1a662ebe3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6fa84f15e8f5a9afae5b87c2a8961cc4

SHA1
8202ed961de0c2727386436df0ab2337b953fa21

SHA256
6464bc3fb48f6d9fd78e3f32e074182c44fe92a96dd7648b1dfa1cc8af52778e

SHA512
7933b225f05590d6546c8ace9caab89d6e244b31718f82d0403ed730708170cb2e402536cf4f710b91d933277773780048084cd7dfb905bb31f3684375678dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b9b5634c00e63fc59da46acc71d1d9b5

SHA1
f7443cc205a5eb86144cbab1761ab928a7936548

SHA256
21160e9d3ed94c7b94529106208d2828c6b19c12d38b4fea471422361d8a6369

SHA512
9d21cf800752cdebf4ec59b0e35bb2369a54895848de6ba491d90e692ec9179bb83c48407b2f13c107b0512a2d95621ff64cae9b821b72cb8813ce5b53d97716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6aec57093dd560cac6de59ab4af63d5e

SHA1
f0b5de8e03a6b56d49c6324cee0e5a6f86bf7cac

SHA256
538f82beb3e09ecebfd7bba66006a67c2e86e8ac8176bc1f6dff52393deab99e

SHA512
35c2bbe560f0306811ffb542f2885ba698d16e878012e6ee24fb1959dd4533929b48ad2b3cd522adb4b3faef502c7dc8064ec708f6ffebae4548a92cc4725b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\bpnfmg50.exe

Filesize
1.9MB

MD5
04d02ea20d46a6e381d28c9efc136eeb

SHA1
31ac236279d176659792fbb9facf5f1c17e7e3f4

SHA256
4269d5093858c94cd20f8dc75dc5d01029fdeb6a3b8fc88cd369fbb6af9b9c3b

SHA512
8e4eb6a64af568bd1fa1a742e12c973201a37eff5a49bff0920a0ae0cad0cb3008c5862299a51082224ea1777b268536d88759c59ce91e0d3ce9798f7b1630bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio12122662314970341694.tmp

Filesize
692B

MD5
25c4e70099f2daf3f04fafa8b5a05aaf

SHA1
7a8c3d9b4479a1814be2eb2a91994a5cc337ede2

SHA256
1f45ce3f19719abff65e94f65bbedd3283922c9541dcc723382d7bd32933f481

SHA512
471e9a3c99a491f63abf20b4e9ed9a05f0e456206c0ecca48716bad1addb97380b19a523a4f8b9a5869a974cc827838e24087e2fc54cf1de9392e080121d441f

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio13394044298917505817.tmp

Filesize
1KB

MD5
030b1e8197ccde1ea0752adf5793c9c6

SHA1
de5b7be8f2f6034606b4da82e9eab42db273f436

SHA256
8e0421f72670cb77f971553fb170dc68a49b537591b2827a0f5b4ef2f79fefc7

SHA512
bc8eb953da5e77fd336ea8ee83587d9b5bf907859a4a574624dfb6023a2562e7c028c94f618b3890a6e6b3f182ad08fb4abbd6577b2b2584ad2ba6b7d8c6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio13878268649921604037.tmp

Filesize
1KB

MD5
221b956bbee7bed6bf0268c1848b6c1f

SHA1
c650115597bb2132e4a6f31676e8e176b0fde541

SHA256
8656449ea4832516a12a3b0bad4b0405c75bd3dee8ec88881060b9dcb159509c

SHA512
3f222d3517badaacf1465bd03ec274b718c6cab25c182b2e522eceba36e27d5e09c1bd220c73b9c15b6877e823340370c4f41a698f3ac1fdedbb0a5b01ba564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio15997032680793853045.tmp

Filesize
1KB

MD5
36d1d531c3ee365ce44ab56484d5c247

SHA1
aaa7aecc30575d3ce0843b0ae010688a578a00f3

SHA256
7fe4e2425c5ff3f7752d2dc0931df2fcf09b0541b2ef1686c959b391cb9842e7

SHA512
f351910a6c68f314d1a0a6f29f7f34ca203b8636a55d85c0ae76ba6e31bc0ad9b9bfc66263a819c9fe38844d58bbefea687b0377d4e8ca534672d4f47b2fe942

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1708742233746632965.tmp

Filesize
476B

MD5
1b67471cba6bc5ad662b0611441df3a0

SHA1
a59b8e59ac9889bd1e427ff9758e9b1018798838

SHA256
0fad867898dd730b558da7f189e03ef57c0c605e02837b3b03e746ff48e67cff

SHA512
3661ab1aeced113cefd899b06a179a468f92b3ea16570e8df9d0c6da5dc735c4f4b41d1ade17330097b08d98d076b66e2ecd8016a55abec9cd18ac6eee7a7c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio17743587771343947251.tmp

Filesize
1KB

MD5
ffe699a13ebc36887b49346a518460b0

SHA1
7f9a78d6373ed06589c963b48621c532439c749e

SHA256
4e63c145af2f345670e4f59f992bd8cffb4adea6771d6f92141b17e5036744d9

SHA512
acbd257144ef802a504f67e7628af54075474f5d2d6fd6ebb8abef5b319e184dea84e8c3b3399e768794571e8203180ad259c7f782b6de636e0a004963f0e2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio8320194120177644159.tmp

Filesize
1KB

MD5
661d8692a070d5b2a26008313517f38e

SHA1
960baee8adf4a4c56a8e8311b0a88d80f629600d

SHA256
f7d4cb9e0c90eb3cadd21142f96845e7fa823f6748accf24f1b5e42cffe93e45

SHA512
c6d0185993787ee4ece986bb2c6647c99902e013acb62831e72b48769442e3d1a8185aab5eec3705e4b8a4aaf71d38a6fabac638bb803dbe4310c3994602e8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio9616558008958698064.tmp

Filesize
1KB

MD5
823c02547be99f8191ea69269d973050

SHA1
8f69c092f13856dbe86cc2de54c93b2848f4e012

SHA256
493eb1bbca7ead6119a584beaa6e39f909bd38c3e1ccdf0a36abbf7b0d81c27f

SHA512
7f6fca9881cbb359ae12d19673cf9406ed7d50987bed7406a39c7be231a9fe3c30cd1e90ae9997588eb274382b28ae8725511f8ce54de73048453acd7590dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio9621805304823389370.tmp

Filesize
557B

MD5
40f34b6525884ae79d38b0dfa289e945

SHA1
f59ea4084fcc4bcff0400bf28ddc7f3910f8c49d

SHA256
a1fdffac95ced65d5a3a3c9b3a379c85dea96000a2b341b19d0dee014f0953be

SHA512
df9986b825ea3ea07a0e166553d338f9415c65473093da2b84bd15ddc0dd8a7f3486cb5d8cd8473878e50caace57b3e293abacfcec32bf6d877640f5c805597d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7VAJG.tmp\frostwire-6.13.1.windows.tmp

Filesize
3.1MB

MD5
aa5ee2c782d231b8577c4e94631c8555

SHA1
7afa6a196695f60f277fea5f176e1e3c341a1a2b

SHA256
3fcea5841d20956292fe90b49dc671e8b4049e1855895a8c23e6fd18554b69f8

SHA512
5d8937156675003d70de9228886836aeff0338abe28d8fad993d7548d3244c7ad5320d1d471445ea8834d3cd76482f77dc5b5be68ae84580808b055de6f1675c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\WebAdvisor.png

Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\finish.png

Filesize
2KB

MD5
d317489166a62cd09e017685085bcc45

SHA1
d3e086ca40f4a152f25cce173459f9c0b9dcdbe6

SHA256
2681a3a584b983b5497d7b5d082f779ab40f35b55b97f297a4f93c87c483a34a

SHA512
9b5151e222dd4bdcf9178f8eed3078ab3734d3c330fbcadfe9bcd3453d12d657043489184f4fbe3d9e064d83112a75130746cd997133dad080231444de169180

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\loader.gif

Filesize
10KB

MD5
f23a523b82ad9103a9ac1dcc33eca72f

SHA1
5363bb6b51923441ef56638576307cc252f05a71

SHA256
59853c413b0813ded6f1e557959768d6662f010f49884d36b62c13038fac739c

SHA512
514ec63f7ed80d0708f7e2355fad8a558b4dcf2d0122ff98fe7c3ca1f40e7cd04e8869ca7a3b95622c0848c0d99306d7e791b86ca69b9e240beae959ca6285be

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\logo.png

Filesize
9KB

MD5
53deb7aecf155880604ed15545098fe0

SHA1
6ac950913e77f214b722cd8efa386bf9e9f441bb

SHA256
c27f37b57950dadcb4a7744f27f28c9e2353819981fd21ca9f5edbeb243a6b63

SHA512
8649cc41c395b8c95721a4022bfb25d07656df56c699b5d9177942b27401179366f1056bf45910da0a0f81ef5c6e7b3a17c18fa8592377ac9639b8a43edc6cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\prod0.exe

Filesize
44KB

MD5
7a7a61fd7082a5c1a1bc82c668061053

SHA1
5f943c210dfddc03e2a5781b1041b3327a492e03

SHA256
096946e2681c88623cf0aa3298ff62878a8c8fa5fce453e9d07a1f9d25096d8b

SHA512
bd5343e47df0a77f469a704acfccf03c9be2861ffb6b6e4b7c373851b170f06571df41e41c0bb6aacff2aadea9f33dd9e64733154cfc31323706e8b2cd574101

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0BVA.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\juf2pymx.exe

Filesize
1.4MB

MD5
fb0c6a32a852c43050d49d78d017db0b

SHA1
8d93cf4dc4e2571462fb2769e0bc1d16127fa990

SHA256
bde0bc73cb8bb1cc27d14311b99f0baaee46af5b079caee29538a6d1f8c36b6a

SHA512
9a2847d3377dbeea9d369b1ee31abc476cd4ef0f825b9725504b9e4a068db573461942c5b581645f555e21f951d8af0a96a934f68eb2755e97db9a936777b9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg5511.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\28f88dec\6c4dedf3_529fda01\rsServiceController.DLL

Filesize
173KB

MD5
8e10c436653b3354707e3e1d8f1d3ca0

SHA1
25027e364ff242cf39de1d93fad86967b9fe55d8

SHA256
2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53

SHA512
9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\35ee324d\8701ebf3_529fda01\rsAtom.DLL

Filesize
157KB

MD5
3ae6f007b30db9507cc775122f9fc1d7

SHA1
ada34eebb84a83964e2d484e8b447dca8214e8b7

SHA256
892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507

SHA512
5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\5aa69bdd\6c4dedf3_529fda01\rsLogger.DLL

Filesize
179KB

MD5
148dc2ce0edbf59f10ca54ef105354c3

SHA1
153457a9247c98a50d08ca89fad177090249d358

SHA256
efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4

SHA512
10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssBDA0.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\a7517383\9224edf3_529fda01\rsJSON.DLL

Filesize
216KB

MD5
8528610b4650860d253ad1d5854597cb

SHA1
def3dc107616a2fe332cbd2bf5c8ce713e0e76a1

SHA256
727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4

SHA512
dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\RAVEndPointProtection-installer.exe

Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\rsSyncSvc.exe

Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\2b78af9a\f9acace9_529fda01\rsAtom.DLL

Filesize
158KB

MD5
875e26eb233dbf556ddb71f1c4d89bb6

SHA1
62b5816d65db3de8b8b253a37412c02e9f46b0f9

SHA256
e62ac7163d7d48504992cd284630c8f94115c3718d60340ad9bb7ee5dd115b35

SHA512
54fdc659157667df4272ac11048f239101cb12b39b2bf049ef552b4e0ce3998ff627bf763e75b5c69cc0d4ef116bfe9043c9a22f2d923dbedddacf397e621035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\70af7b9d\8a46b8e9_529fda01\rsJSON.DLL

Filesize
219KB

MD5
d43100225a3f78936ca012047a215559

SHA1
c68013c5f929fe098a57870553c3204fd9617904

SHA256
cc5ea6c9c8a14c48a20715b6b3631cbf42f73b41b87d1fbb0462738ff80dc01a

SHA512
9633992a07ea61a9d7acd0723dbd715dbd384e01e268131df0534bcdfcd92f12e3decc76aa870ea4786314c0b939b41c5f9e591a18c4d9d0bad069f30acd833e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\76f0350e\8357b9e9_529fda01\rsLogger.DLL

Filesize
179KB

MD5
b279550f2557481ae48e257f0964ae29

SHA1
53bef04258321ca30a6d36a7d3523032e3087a3e

SHA256
13fe4a20114cdf8cd3bba42eeaabe8d49be0b03eec423f530c890463014ccaaa

SHA512
f603cbac1f55ad4de7a561a1d9c27e33e36de00f09a18ff956456afec958f3e777277db74f0b25c6467e765d39175aa4fcdd38e87a3d666b608d983acb9321cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\95f8df39\52f3b9e9_529fda01\rsServiceController.DLL

Filesize
174KB

MD5
d0779008ba2dc5aba2393f95435a6e8d

SHA1
14ccd0d7b6128cf11c58f15918b2598c5fefe503

SHA256
e74a387b85ee4346b983630b571d241749224d51b81b607f88f6f77559f9cb05

SHA512
931edd82977e9a58c6669287b38c1b782736574db88dad0cc6e0d722c6e810822b3cbe5689647a8a6f2b3692d0c348eb063e17abfa5580a66b17552c30176426

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5522.tmp\uninstall.ico

Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2603.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2603.tmp\inetc.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2603.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\System.Data.SQLite.dll

Filesize
362KB

MD5
42e6e9081edd7a49c4103292725b68e2

SHA1
62f73c44ee1aba1f7684b684108fe3b0332e6e66

SHA256
788450452b0459c83e13da4dd32f6217bfb53a83bd5f04b539000b61d24fd049

SHA512
99eab89bf6297fda549c0b882c097cd4b59fd0595ff2d0c40d1767f66fa45172ca5b9693dbf650d7103353f1e1fb8e5259bbcde3dfa286dee098533a4a776e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\System.ValueTuple.dll

Filesize
73KB

MD5
29e6ae1a1af7fc943752a097ec59c59c

SHA1
6d5c910c0b9a3e0876e2e2bbbce9b663f9edc436

SHA256
cc9bf1feeab1d76221508d6cc98e8bdc1603d5c600c5ed09c108e31b8bd3a6a2

SHA512
cc6d55e5fd23c89d73ecbddfa92c102f47f8fb93f2f6a41d2e79708e6a8d7c13c1961dcd07810db3135d2f8ddcbf3535fb3ea3d1fc31c617ca9b10f6b867f9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\rsDatabase.dll

Filesize
166KB

MD5
d9cd9c6486fa53d41949420d429c59f4

SHA1
784ac204d01b442eae48d732e2f8c901346bc310

SHA256
c82540979384cdcadf878a2bd5cbe70b79c279182e2896dbdf6999ba88a342c1

SHA512
b37e365b233727b8eb11eb0520091d2ecd631d43a5969eaeb9120ebd9bef68c224e1891dd3bac5ec51feb2aee6bec4b0736f90571b33f4af59e73ddee7d1e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\rsTime.dll

Filesize
129KB

MD5
f1e592a7636df187e89b2139922c609e

SHA1
301a6e257fefaa69e41c590785222f74fdb344f8

SHA256
13ca35c619e64a912b972eb89433087cb5b44e947b22a392972d99084f214041

SHA512
e5d79a08ea2df8d7df0ad94362fda692a9b91f6eda1e769bc20088ef3c0799aeabf7eb8bd64b4813716962175e6e178b803124dc11cc7c451b6da7f406f38815

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\3fcc7533\273ee003_539fda01\rsAtom.DLL

Filesize
157KB

MD5
1b29492a6f717d23faaaa049a74e3d6e

SHA1
7d918a8379444f99092fe407d4ddf53f4e58feb5

SHA256
01c8197b9ca584e01e2532fad161c98b5bde7e90c33003c8d8a95128b68929c0

SHA512
25c07f3d66287ff0dfb9a358abb790cadbabe583d591c0976ea7f6d44e135be72605fa911cc4871b1bd26f17e13d366d2b78ce01e004263cbe0e6717f822c4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2524.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\9ce8a07b\bc42e703_539fda01\rsLogger.DLL

Filesize
178KB

MD5
dbdd8bcc83aa68150bf39107907349ad

SHA1
6029e3c9964de440555c33776e211508d9138646

SHA256
c43fea57ecd078518639dc2446a857d0c2594e526b5e14ee111a9c95beddf61e

SHA512
508cb9b3834f7da9aa18b4eb48dd931b3526f7419463c1f0c5283b155efbe9c255213ae1074d0dbe2de5b2f89d0dba77f59b729490d47d940b5967969aaf1f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\obxsubs4.exe

Filesize
1.2MB

MD5
844d8a2c2a96b5ae267fb40b887d21df

SHA1
de64bf664674ab360b75ccf8aa498845af18f49d

SHA256
809b3b766d109010b5778304cde663fc43ba50661c40b05dfbaf477704a5d3e8

SHA512
870db7df930e599b5d309a3bd348614e43d3d0fff5e01c826ef76fb6602a336e86e4cfe3894bab9ccab7743b48dc1d6dcb4cbce167bbb9df5ea6f8a3d2be83eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite-3.43.0.0-3d9eb720-2c5c-4a01-814b-4d7e60b72b7a-sqlitejdbc.dll

Filesize
926KB

MD5
3264e4962850cf05474810a8b6a496db

SHA1
34f9422e0d695c7ee9b7c7fba6148e3057de6cd6

SHA256
7f99b81b58540d3e08a8766b0cf06857afb1550d285ef6d1be4a29e504f5c09f

SHA512
ed8dd2f368106d4ebe4db41b3f08e3f9c3ee3a45e808410be2a37baa6c9bcf48d1fcea8e4c0e14f9782328ac2201792f0b24bb0dcdeb4ac945cade28c5ded006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\2ab32e4b-798f-4375-87c9-e7249e87d2c1.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\61e627ce-f4b9-4c8f-907c-612f41bd7a69.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 905247.crdownload

Filesize
2.6MB

MD5
ee25164276804dc7c7d3c4bf1d45577d

SHA1
df0cd57f11d1e822f1e8505570cef2ada33cf362

SHA256
4d824e052cfd7aac94e4ea6cf8935431139732e990ab543f55922075aa9eaec4

SHA512
d440036ffd9baf520e94a07084ab5070c1f6addd316e35925e2fe191bb38784523f0134601b75f6b8818fc3353da6f613c7e8cf3adee0a08d29a381ee6b6d0ed

Download Submit
memory/2352-2534-0x00000296F4CB0000-0x00000296F4CF4000-memory.dmp

Filesize
272KB

Download
memory/2352-3809-0x00000296F79C0000-0x00000296F79EE000-memory.dmp

Filesize
184KB

Download
memory/2352-3727-0x00000296F7870000-0x00000296F789A000-memory.dmp

Filesize
168KB

Download
memory/2352-3715-0x00000296F7870000-0x00000296F78A0000-memory.dmp

Filesize
192KB

Download
memory/2352-3702-0x00000296F7870000-0x00000296F78A8000-memory.dmp

Filesize
224KB

Download
memory/2352-3216-0x00000296F77E0000-0x00000296F7828000-memory.dmp

Filesize
288KB

Download
memory/3400-1759-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1074-0x0000016B7E2C0000-0x0000016B7E2EA000-memory.dmp

Filesize
168KB

Download
memory/3400-2251-0x0000016B7E8A0000-0x0000016B7E8CE000-memory.dmp

Filesize
184KB

Download
memory/3400-1079-0x0000016B7E470000-0x0000016B7E4C8000-memory.dmp

Filesize
352KB

Download
memory/3400-2239-0x0000016B7E7C0000-0x0000016B7E7EA000-memory.dmp

Filesize
168KB

Download
memory/3400-1728-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1729-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1737-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1731-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1733-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1735-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1739-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1741-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1072-0x0000016B7E280000-0x0000016B7E2BA000-memory.dmp

Filesize
232KB

Download
memory/3400-1743-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1745-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1747-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1749-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1751-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1754-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1755-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1757-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1761-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-2226-0x0000016B7E7C0000-0x0000016B7E7F0000-memory.dmp

Filesize
192KB

Download
memory/3400-1066-0x0000016B7BBF0000-0x0000016B7BC78000-memory.dmp

Filesize
544KB

Download
memory/3400-1765-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1767-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-2215-0x0000016B7E7C0000-0x0000016B7E7FA000-memory.dmp

Filesize
232KB

Download
memory/3400-1769-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1771-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1773-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1068-0x0000016B7D940000-0x0000016B7D980000-memory.dmp

Filesize
256KB

Download
memory/3400-1775-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1763-0x0000016B18020000-0x0000016B1806E000-memory.dmp

Filesize
312KB

Download
memory/3400-1070-0x0000016B7D980000-0x0000016B7D9B0000-memory.dmp

Filesize
192KB

Download
memory/3400-1726-0x0000016B18020000-0x0000016B18070000-memory.dmp

Filesize
320KB

Download
memory/3644-2647-0x00000208B2480000-0x00000208B2A24000-memory.dmp

Filesize
5.6MB

Download
memory/3644-2433-0x00000208AFEE0000-0x00000208AFF0E000-memory.dmp

Filesize
184KB

Download
memory/3644-2626-0x00000208B0BE0000-0x00000208B0C46000-memory.dmp

Filesize
408KB

Download
memory/3644-2624-0x00000208B0520000-0x00000208B054A000-memory.dmp

Filesize
168KB

Download
memory/3644-2543-0x00000208B0410000-0x00000208B0436000-memory.dmp

Filesize
152KB

Download
memory/3644-2912-0x00000208B05D0000-0x00000208B060C000-memory.dmp

Filesize
240KB

Download
memory/3644-2944-0x00000208B2150000-0x00000208B23D0000-memory.dmp

Filesize
2.5MB

Download
memory/3644-2972-0x00000208B1240000-0x00000208B1270000-memory.dmp

Filesize
192KB

Download
memory/3644-2994-0x00000208B12A0000-0x00000208B12C4000-memory.dmp

Filesize
144KB

Download
memory/3644-2993-0x00000208B05B0000-0x00000208B05B8000-memory.dmp

Filesize
32KB

Download
memory/3644-2997-0x00000208B0E50000-0x00000208B0E58000-memory.dmp

Filesize
32KB

Download
memory/3644-2998-0x00000208B1F80000-0x00000208B1FAC000-memory.dmp

Filesize
176KB

Download
memory/3644-3191-0x00000208B1FB0000-0x00000208B1FD8000-memory.dmp

Filesize
160KB

Download
memory/3644-2542-0x00000208AFEB0000-0x00000208AFED6000-memory.dmp

Filesize
152KB

Download
memory/3644-2541-0x00000208B03D0000-0x00000208B040A000-memory.dmp

Filesize
232KB

Download
memory/3644-2540-0x00000208B0440000-0x00000208B04A6000-memory.dmp

Filesize
408KB

Download
memory/3644-2537-0x00000208B0E70000-0x00000208B10F6000-memory.dmp

Filesize
2.5MB

Download
memory/3644-3384-0x00000208B2040000-0x00000208B209E000-memory.dmp

Filesize
376KB

Download
memory/3644-2535-0x00000208B0870000-0x00000208B0BD9000-memory.dmp

Filesize
3.4MB

Download
memory/3644-2536-0x00000208B00D0000-0x00000208B011F000-memory.dmp

Filesize
316KB

Download
memory/3644-2533-0x00000208B0070000-0x00000208B00CE000-memory.dmp

Filesize
376KB

Download
memory/3644-2520-0x00000208AFFE0000-0x00000208B000E000-memory.dmp

Filesize
184KB

Download
memory/3644-3710-0x00000208B23D0000-0x00000208B2442000-memory.dmp

Filesize
456KB

Download
memory/3644-2378-0x00000208AF710000-0x00000208AF734000-memory.dmp

Filesize
144KB

Download
memory/3644-2411-0x00000208AFF70000-0x00000208AFFA2000-memory.dmp

Filesize
200KB

Download
memory/3644-3713-0x00000208B2A30000-0x00000208B2A9A000-memory.dmp

Filesize
424KB

Download
memory/3644-2410-0x00000208B0620000-0x00000208B0862000-memory.dmp

Filesize
2.3MB

Download
memory/3644-2409-0x00000208AFF10000-0x00000208AFF66000-memory.dmp

Filesize
344KB

Download
memory/3644-3740-0x00000208B2C10000-0x00000208B2D7C000-memory.dmp

Filesize
1.4MB

Download
memory/3644-2377-0x00000208AF8F0000-0x00000208AF964000-memory.dmp

Filesize
464KB

Download
memory/3644-3789-0x00000208B31E0000-0x00000208B3210000-memory.dmp

Filesize
192KB

Download
memory/3644-3796-0x00000208B20F0000-0x00000208B213C000-memory.dmp

Filesize
304KB

Download
memory/3644-3817-0x00000208B2450000-0x00000208B2476000-memory.dmp

Filesize
152KB

Download
memory/3644-3863-0x00000208B3DA0000-0x00000208B3EAA000-memory.dmp

Filesize
1.0MB

Download
memory/3644-2408-0x00000208AF970000-0x00000208AF99E000-memory.dmp

Filesize
184KB

Download
memory/3644-3896-0x00000208B2D80000-0x00000208B2DD0000-memory.dmp

Filesize
320KB

Download
memory/3644-3824-0x00000208B2AD0000-0x00000208B2AFC000-memory.dmp

Filesize
176KB

Download
memory/3644-2379-0x00000208AF8B0000-0x00000208AF8E4000-memory.dmp

Filesize
208KB

Download
memory/3644-3858-0x00000208B2DD0000-0x00000208B2E16000-memory.dmp

Filesize
280KB

Download
memory/3644-2376-0x00000208AF6E0000-0x00000208AF704000-memory.dmp

Filesize
144KB

Download
memory/3644-3860-0x00000208B3CA0000-0x00000208B3DA0000-memory.dmp

Filesize
1024KB

Download
memory/3672-647-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3672-578-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3672-1284-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5168-982-0x0000029454AA0000-0x0000029454AA8000-memory.dmp

Filesize
32KB

Download
memory/5168-983-0x000002946F4B0000-0x000002946F9D8000-memory.dmp

Filesize
5.2MB

Download
memory/5416-3874-0x00000232F2AA0000-0x00000232F2AD8000-memory.dmp

Filesize
224KB

Download
memory/5416-3876-0x00000232F2A60000-0x00000232F2A84000-memory.dmp

Filesize
144KB

Download
memory/5416-3864-0x00000232F04C0000-0x00000232F04F8000-memory.dmp

Filesize
224KB

Download
memory/5416-3875-0x00000232F2AE0000-0x00000232F2B12000-memory.dmp

Filesize
200KB

Download
memory/5416-3859-0x00000232F04C0000-0x00000232F04F8000-memory.dmp

Filesize
224KB

Download
memory/5416-3889-0x00000232F2E80000-0x00000232F308E000-memory.dmp

Filesize
2.1MB

Download
memory/5416-3862-0x00000232F28D0000-0x00000232F28FC000-memory.dmp

Filesize
176KB

Download
memory/5416-3861-0x00000232F2900000-0x00000232F2954000-memory.dmp

Filesize
336KB

Download
memory/5492-655-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5492-648-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5492-920-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5492-649-0x0000000005560000-0x000000000556F000-memory.dmp

Filesize
60KB

Download
memory/5492-1283-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5492-606-0x0000000005560000-0x000000000556F000-memory.dmp

Filesize
60KB

Download
memory/5564-1454-0x0000000073810000-0x0000000073DEF000-memory.dmp

Filesize
5.9MB

Download
memory/6172-2327-0x0000024FCD6E0000-0x0000024FCD734000-memory.dmp

Filesize
336KB

Download
memory/6172-2328-0x0000024FE7BF0000-0x0000024FE7C44000-memory.dmp

Filesize
336KB

Download
memory/6172-2329-0x0000024FCDB70000-0x0000024FCDB96000-memory.dmp

Filesize
152KB

Download
memory/6172-2370-0x0000024FE8990000-0x0000024FE8BB2000-memory.dmp

Filesize
2.1MB

Download
memory/6172-2342-0x0000024FE8370000-0x0000024FE8988000-memory.dmp

Filesize
6.1MB

Download
memory/6172-2341-0x0000024FE7B90000-0x0000024FE7BC2000-memory.dmp

Filesize
200KB

Download
memory/6172-2331-0x0000024FCD6E0000-0x0000024FCD734000-memory.dmp

Filesize
336KB

Download
memory/6448-2295-0x00000200FA3C0000-0x00000200FA3FC000-memory.dmp

Filesize
240KB

Download
memory/6448-2294-0x00000200F9B70000-0x00000200F9B82000-memory.dmp

Filesize
72KB

Download
memory/6448-2281-0x00000200F7F90000-0x00000200F7FBE000-memory.dmp

Filesize
184KB

Download
memory/6448-2280-0x00000200F7F90000-0x00000200F7FBE000-memory.dmp

Filesize
184KB

Download
memory/6536-2325-0x0000011697760000-0x0000011697782000-memory.dmp

Filesize
136KB

Download
memory/6536-2324-0x0000011697740000-0x000001169775A000-memory.dmp

Filesize
104KB

Download
memory/6536-2323-0x00000116B0650000-0x00000116B07CC000-memory.dmp

Filesize
1.5MB

Download
memory/6536-2322-0x00000116B02E0000-0x00000116B0646000-memory.dmp

Filesize
3.4MB

Download
memory/6956-3899-0x00000199CCA00000-0x00000199CCA2A000-memory.dmp

Filesize
168KB

Download
memory/6956-3912-0x00000199E5640000-0x00000199E56C4000-memory.dmp

Filesize
528KB

Download
memory/6956-3911-0x00000199CCA30000-0x00000199CCA3A000-memory.dmp

Filesize
40KB

Download
memory/6956-3898-0x00000199CAD00000-0x00000199CAD24000-memory.dmp

Filesize
144KB

Download
memory/6956-3900-0x00000199E5170000-0x00000199E51C4000-memory.dmp

Filesize
336KB

Download
memory/6964-3905-0x000002806C3D0000-0x000002806C3F4000-memory.dmp

Filesize
144KB

Download
memory/6964-3904-0x000002806C3A0000-0x000002806C3CC000-memory.dmp

Filesize
176KB

Download
memory/6964-3903-0x000002806C360000-0x000002806C394000-memory.dmp

Filesize
208KB

Download
memory/6964-3901-0x000002806C1D0000-0x000002806C210000-memory.dmp

Filesize
256KB

Download
memory/6964-3902-0x000002806C320000-0x000002806C360000-memory.dmp

Filesize
256KB

Download
memory/6964-3913-0x000002806D440000-0x000002806D476000-memory.dmp

Filesize
216KB

Download
memory/6964-3906-0x000002806C430000-0x000002806C456000-memory.dmp

Filesize
152KB

Download
memory/6964-3908-0x000002806C540000-0x000002806C59E000-memory.dmp

Filesize
376KB

Download