zgrat | hxxps://www[.]cheatengine[.]org/

Analysis

max time kernel
2689s
max time network
2701s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cheatengine.org/

Score

10^/10

zgrat discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aece-1991.dat	family_zgrat_v1
behavioral1/files/0x000700000001aee1-1984.dat	family_zgrat_v1
behavioral1/memory/7368-3736-0x0000022227490000-0x00000222274EA000-memory.dmp	family_zgrat_v1
behavioral1/memory/7368-3785-0x0000022228290000-0x00000222284EE000-memory.dmp	family_zgrat_v1
behavioral1/memory/3236-3919-0x000001BB62480000-0x000001BB62614000-memory.dmp	family_zgrat_v1
behavioral1/memory/5372-4963-0x000002860F400000-0x000002860F454000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	SaferWeb-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WINTRUST.dll	cheatengine-x86_64-SSE4-AVX2.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Executes dropped EXE 64 IoCs

pid	Process
3200	CheatEngine75.exe
2304	CheatEngine75.tmp
4940	CheatEngine75 (1).exe
3036	CheatEngine75 (1).tmp
1424	prod0.exe
2824	saBSI.exe
4472	i5cz14ax.exe
4120	CheatEngine75.exe
4668	RAVEndPointProtection-installer.exe
240	CheatEngine75.tmp
2440	rsSyncSvc.exe
2284	rsSyncSvc.exe
1436	_setup64.tmp
1640	installer.exe
3604	installer.exe
5468	Kernelmoduleunloader.exe
6076	windowsrepair.exe
4088	rsWSC.exe
6228	rsWSC.exe
7200	Cheat Engine.exe
7252	rsClientSvc.exe
7332	rsClientSvc.exe
7368	rsEngineSvc.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7956	rsEngineSvc.exe
3236	rsEDRSvc.exe
7132	rsEDRSvc.exe
6400	lx2hveuv.exe
3160	RAVVPN-installer.exe
7828	Tutorial-x86_64.exe
5176	rsVPNClientSvc.exe
5572	rsVPNClientSvc.exe
5216	rsHelper.exe
5372	rsVPNSvc.exe
6696	rsVPNSvc.exe
6000	VPN.exe
1324	rsAppUI.exe
7784	EPP.exe
7948	rsAppUI.exe
5944	rsAppUI.exe
7860	1vhc0vie.exe
7932	rsAppUI.exe
5612	rsAppUI.exe
6460	rsAppUI.exe
7212	rsAppUI.exe
5272	SaferWeb-installer.exe
5360	rsAppUI.exe
7736	rsAppUI.exe
5444	rsAppUI.exe
4412	rsDNSClientSvc.exe
1524	rsDNSClientSvc.exe
6952	rsDNSResolver.exe
7692	rsDNSResolver.exe
6388	rsDNSResolver.exe
6276	rsDNSSvc.exe
5492	rsDNSSvc.exe
5496	DNS.exe
6808	rsAppUI.exe
6200	rsAppUI.exe
1156	rsAppUI.exe
7128	rsAppUI.exe
6176	rsLitmus.A.exe
2132	rsAppUI.exe
5008	rsAppUI.exe

Loads dropped DLL 64 IoCs

pid	Process
3036	CheatEngine75 (1).tmp
2304	CheatEngine75.tmp
4472	i5cz14ax.exe
4668	RAVEndPointProtection-installer.exe
4668	RAVEndPointProtection-installer.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
7272	cheatengine-x86_64-SSE4-AVX2.exe
3236	rsEDRSvc.exe
3236	rsEDRSvc.exe
7132	rsEDRSvc.exe
7132	rsEDRSvc.exe
7956	rsEngineSvc.exe
7132	rsEDRSvc.exe
6400	lx2hveuv.exe
3160	RAVVPN-installer.exe
7956	rsEngineSvc.exe
7956	rsEngineSvc.exe
6696	rsVPNSvc.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
5944	rsAppUI.exe
5944	rsAppUI.exe
5944	rsAppUI.exe
5944	rsAppUI.exe
5944	rsAppUI.exe
7932	rsAppUI.exe
5612	rsAppUI.exe
7860	1vhc0vie.exe
6460	rsAppUI.exe
5612	rsAppUI.exe
5612	rsAppUI.exe
5612	rsAppUI.exe
5612	rsAppUI.exe
7212	rsAppUI.exe
5360	rsAppUI.exe
7736	rsAppUI.exe
5444	rsAppUI.exe
5272	SaferWeb-installer.exe
5492	rsDNSSvc.exe
6388	rsDNSResolver.exe
6388	rsDNSResolver.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6200	rsAppUI.exe
6200	rsAppUI.exe
6200	rsAppUI.exe
6200	rsAppUI.exe
6200	rsAppUI.exe
1156	rsAppUI.exe
7128	rsAppUI.exe
2132	rsAppUI.exe
2132	rsAppUI.exe
5008	rsAppUI.exe
5008	rsAppUI.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6140	icacls.exe
432	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75 (1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75 (1).tmp
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75 (1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75 (1).tmp
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75 (1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75 (1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75 (1).tmp
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75 (1).tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75 (1).tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rsEDRSvc.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ActXPrxy.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\NTASN1.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\Cabinet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Enumeration.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\iertutil.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\MSACM32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\cryptnet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\WINNSI.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\edputil.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\SYSTEM32\dhcpcsvc.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msiso.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Windows.StateRepository.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\apphelp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\MSASN1.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\profapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\gpapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\dataexchange.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\powrprof.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wintypes.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\OLEAUT32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\IPHLPAPI.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\VERSION.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\SHELL32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Windows.UI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Windows.Networking.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Windows.Media.MediaControl.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_607A58EEE9CB7145B2928F6E2D210D0B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\SYSTEM32\MPR.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\rsaenh.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\DPAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ondemandconnroutehelper.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\Bcp47Langs.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\StateRepository.Core.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_330B78668586CC1C5060B7886AA9A046	rsEngineSvc.exe
File opened for modification	C:\Windows\SYSTEM32\UIAutomationCore.DLL	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of NtCreateThreadExHideFromDebugger 10 IoCs

pid	Process
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\Temp1142047922\wa_install_close2.png	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\gu.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\netstandard.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\wintrust.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-BHMUS.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Net.NetworkInformation.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsEngine.Data.dll	SaferWeb-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\imm32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\Windows.Networking.HostName.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\ntdll.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\kernelbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\WinTypes.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\Temp1142047922\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\iertutil.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\new\i386\OemVista.inf	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\ReasonLabs-DNS.7z	SaferWeb-installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1142047922\icon_complete.png	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\ui\DNS.exe	SaferWeb-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\userenv.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Threading.dll	RAVVPN-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\x86\7z86.dll	SaferWeb-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\fwbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-GAD4B.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\el.pak	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\FirewallAPI.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\wsock32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dnsapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\iertutil.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\Microsoft.Win32.TaskScheduler.dll	RAVVPN-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\fwbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\Windows.Media.MediaControl.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\is-TF0SN.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-GQI5G.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-GB.pak	RAVEndPointProtection-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\usermgrcli.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\DataExchange.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\winhook-x86_64.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1142047922\jslang\eula-hu-HU.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1142047922\jslang\wa-res-install-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Net.WebSockets.Client.dll	RAVEndPointProtection-installer.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\win32u.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\McAfee\Temp1142047922\jslang\eula-nl-NL.txt	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\iphlpapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\propsys.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\sapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\Temp1142047922\jslang\eula-tr-TR.txt	installer.exe
File opened for modification	C:\Program Files\McAfee\Temp1142047922\wa-common.css	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\kernelbase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\version.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\gdi32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe	RAVEndPointProtection-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-5HLNP.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\winnsi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\dll\twinapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\symbols\dll\WindowsCodecs.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\DotNetDataCollector32.exe	CheatEngine75.tmp
File created	C:\Program Files\McAfee\Temp1142047922\jslang\wa-res-shared-nl-NL.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-QTJ6O.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Google\Chrome\Application\OnDemandConnRouteHelper.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\Windows.Networking.HostName.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Collections.Specialized.dll	SaferWeb-installer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\COMCTL32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.0_none_108e4f62dfe5d999\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4016	sc.exe
4556	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
8080	3036	WerFault.exe	108
6808	3036	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75 (1).tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75 (1).tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	rsDNSSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rsVPNSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 6800310000000000ac587a4a10004d59434845417e310000500009000400efbeac587a4aac587a4a2e000000a8ac0100000008000000000000000000000000000000a26bbf004d00790020004300680065006100740020005400610062006c0065007300000018000000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	cheatengine-x86_64-SSE4-AVX2.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsEDRSvc.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	156	Cheat Engine 7.5 : luascript-CEVersionCheck
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	145	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	156	Cheat Engine 7.5 : luascript-ceshare

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
424	chrome.exe
424	chrome.exe
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
1832	chrome.exe
1832	chrome.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
2824	saBSI.exe
240	CheatEngine75.tmp
240	CheatEngine75.tmp
4668	RAVEndPointProtection-installer.exe
4668	RAVEndPointProtection-installer.exe
4668	RAVEndPointProtection-installer.exe
4668	RAVEndPointProtection-installer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
7272	cheatengine-x86_64-SSE4-AVX2.exe
6276	taskmgr.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
7032	fltmc.exe
640	Process not Found
640	Process not Found

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe
Token: SeShutdownPrivilege	424	chrome.exe
Token: SeCreatePagefilePrivilege	424	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp
3036	CheatEngine75 (1).tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
424	chrome.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
7948	rsAppUI.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
1324	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6808	rsAppUI.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe
6276	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7272	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 3928	424	chrome.exe	73
PID 424 wrote to memory of 3928	424	chrome.exe	73
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 4116	424	chrome.exe	75
PID 424 wrote to memory of 32	424	chrome.exe	76
PID 424 wrote to memory of 32	424	chrome.exe	76
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77
PID 424 wrote to memory of 204	424	chrome.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.cheatengine.org/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff3e309758,0x7fff3e309768,0x7fff3e309778
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:2
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2888 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3776 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4608 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4460 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4820 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5160 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5220 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5504 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5444 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5048 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6296 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6040 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5504 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:1664
- C:\Users\Admin\Downloads\CheatEngine75.exe
  "C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\is-GNP5O.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GNP5O.tmp\CheatEngine75.tmp" /SL5="$E026A,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2304
- C:\Users\Admin\Downloads\CheatEngine75 (1).exe
  "C:\Users\Admin\Downloads\CheatEngine75 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\is-T8GHM.tmp\CheatEngine75 (1).tmp
    "C:\Users\Admin\AppData\Local\Temp\is-T8GHM.tmp\CheatEngine75 (1).tmp" /SL5="$20250,29019897,780800,C:\Users\Admin\Downloads\CheatEngine75 (1).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod0.exe" -ip:"dui=9251837d-e9a5-4229-9a78-b1085d98b1bb&dit=20240512091903&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=9251837d-e9a5-4229-9a78-b1085d98b1bb&dit=20240512091903&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=9251837d-e9a5-4229-9a78-b1085d98b1bb&dit=20240512091903&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
      4⤵
      Executes dropped EXE
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\i5cz14ax.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i5cz14ax.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\RAVEndPointProtection-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\i5cz14ax.exe" /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        Adds Run key to start application
        
        PID:6792
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:6816
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:6872
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        
        PID:6908
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        Suspicious behavior: LoadsDriver
        
        PID:7032
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
        7⤵
        
        PID:7156
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4088
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:7252
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:7368
        
        C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\lx2hveuv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lx2hveuv.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6400
      - C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\RAVVPN-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\RAVVPN-installer.exe" "C:\Users\Admin\AppData\Local\Temp\lx2hveuv.exe" /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:3160
        
        C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:5176
        
        C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:5372
    - - C:\Users\Admin\AppData\Local\Temp\1vhc0vie.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1vhc0vie.exe" /silent
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7860
      - C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\SaferWeb-installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\SaferWeb-installer.exe" "C:\Users\Admin\AppData\Local\Temp\1vhc0vie.exe" /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5272
        
        \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
        7⤵
        Adds Run key to start application
        
        PID:7292
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:7248
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:7920
        
        C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
        7⤵
        Executes dropped EXE
        
        PID:6952
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
        7⤵
        Executes dropped EXE
        
        PID:7692
        
        C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:6276
  - - C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1640
      - C:\Program Files\McAfee\Temp1142047922\installer.exe
        
        "C:\Program Files\McAfee\Temp1142047922\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        
        PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\CheatEngine75.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\is-B585U.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B585U.tmp\CheatEngine75.tmp" /SL5="$202A0,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        6⤵
        
        PID:1400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        7⤵
        
        PID:4560
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        6⤵
        
        PID:372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        7⤵
        
        PID:2880
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        6⤵
        Launches sc.exe
        
        PID:4016
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        6⤵
        Launches sc.exe
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\is-NDIP9.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3A8
        6⤵
        Executes dropped EXE
        
        PID:1436
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:432
      - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        6⤵
        Executes dropped EXE
        
        PID:5468
      - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        6⤵
        Executes dropped EXE
        
        PID:6076
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:6140
  - - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
      "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
      4⤵
      Executes dropped EXE
      PID:7200
    - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
        
        "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
        5⤵
        Manipulates Digital Signatures
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:7272
      - C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe
        
        "C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe"
        6⤵
        Executes dropped EXE
        
        PID:7828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1652
      4⤵
      Program crash
      PID:8080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1652
      4⤵
      Program crash
      PID:6808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5760 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=5104 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6604 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6568 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5504 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6884 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6544 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6300 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5444 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:7776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:8044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=3196 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3204 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5720 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=6360 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=5940 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6460 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5660 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=3200 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=6516 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=5968 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=6468 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=3396 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6184 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=6800 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=3060 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=5988 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=3860 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=4444 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=1448 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=6980 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=956 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=7268 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7304 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=7944 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=8680 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=8036 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=8532 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=8656 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=8260 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=8360 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=7644 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=8356 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=9128 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=9296 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=9672 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=9824 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=10040 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=10200 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=9272 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=5760 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=1480 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=10936 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=10736 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=10808 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=7968 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=9436 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:9000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=11204 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:9184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=5580 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=11448 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=11396 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=7892 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=4432 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=2960 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=8136 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8224 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:8
  2⤵
  PID:9136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=11308 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=9736 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=6532 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:7236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --mojo-platform-channel-handle=10692 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --mojo-platform-channel-handle=9748 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --mojo-platform-channel-handle=6888 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:8348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --mojo-platform-channel-handle=11484 --field-trial-handle=1772,i,528452816124000236,11849067783075016132,131072 /prefetch:1
  2⤵
  PID:1736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3600

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2284

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6228

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7332

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:7956
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  PID:5216
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:7784
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SendNotifyMessage
    PID:7948
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2416 --field-trial-handle=2420,i,4965587153021877807,7046080585150230096,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5612
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3136 --field-trial-handle=2420,i,4965587153021877807,7046080585150230096,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6460
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3216 --field-trial-handle=2420,i,4965587153021877807,7046080585150230096,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5360
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3680 --field-trial-handle=2420,i,4965587153021877807,7046080585150230096,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7736
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1376 --field-trial-handle=2420,i,4965587153021877807,7046080585150230096,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5008
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  - Executes dropped EXE
  PID:6176

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:7132

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:5572

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6696
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:6000
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SendNotifyMessage
    PID:1324
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2464 --field-trial-handle=2476,i,13420611104206653808,8008953905799317631,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5944
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=3064 --field-trial-handle=2476,i,13420611104206653808,8008953905799317631,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7932
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3248 --field-trial-handle=2476,i,13420611104206653808,8008953905799317631,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7212
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3704 --field-trial-handle=2476,i,13420611104206653808,8008953905799317631,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5444
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2640 --field-trial-handle=2476,i,13420611104206653808,8008953905799317631,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2648

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6388

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5492
- \??\c:\program files\reasonlabs\DNS\ui\DNS.exe
  "c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:5496
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SendNotifyMessage
    PID:6808
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1968 --field-trial-handle=2124,i,9994831749206816564,10916730414354245642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6200
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=3144 --field-trial-handle=2124,i,9994831749206816564,10916730414354245642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1156
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3248 --field-trial-handle=2124,i,9994831749206816564,10916730414354245642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7128
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2988 --field-trial-handle=2124,i,9994831749206816564,10916730414354245642,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:4920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
PID:6472

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SendNotifyMessage
PID:6276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:6600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c
1⤵
PID:6328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe

Filesize
236KB

MD5
9af96706762298cf72df2a74213494c9

SHA1
4b5fd2f168380919524ecce77aa1be330fdef57a

SHA256
65fa2ccb3ac5400dd92dda5f640445a6e195da7c827107260f67624d3eb95e7d

SHA512
29a0619093c4c0ecf602c861ec819ef16550c0607df93067eaef4259a84fd7d40eb88cd5548c0b3b265f3ce5237b585f508fdd543fa281737be17c0551163bd4

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\is-0GJRG.tmp

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\is-U6SJ3.tmp

Filesize
12.2MB

MD5
8b2322dce388f8f24d461d5a0186f67c

SHA1
604fc5d20eef7bffe7b1ab094bf45d464080ff91

SHA256
c49162b98cc02456d1a23c2948b09f5ce7d87de7f4acc7267ccbf80379d47de9

SHA512
7eb96630aa329f72f2f249ae74ec132d13d23253001182a4ad036d6e65e1e8d17ed95e5dbe6bd50a4a2e5ffb147035be583ca87e230517b614febfda2b6a47c2

Download Submit
C:\Program Files\ReasonLabs\DNS\Uninstall.exe

Filesize
1.4MB

MD5
be34085b4bb2f429af83a34279f47486

SHA1
39d5a942115a2490e1a4fadc55c5a47cebe13f88

SHA256
2709f3aefdf127bec9856c201f225463d815fb78f31ed3b7050e4e9ba6aa1465

SHA512
5d4b1e2a39159b1469a49ef2d8292151af2d0acc6b8a7e8f191429ede726c2541f5ab7c471d0e1a1cbc6e77bbc67f1a3372bebf2635739fe8c339435e98ce8fe

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
248B

MD5
6002495610dcf0b794670f59c4aa44c6

SHA1
f521313456e9d7cf8302b8235f7ccb1c2266758f

SHA256
982a41364a7567fe149d4d720749927b2295f1f617df3eba4f52a15c7a4829ad

SHA512
dfc2e0184436ffe8fb80a6e0a27378a8085c3aa096bbf0402a39fb766775624b3f1041845cf772d3647e4e4cde34a45500891a05642e52bae4a397bd4f323d67

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\DNS\uninstall.ico

Filesize
109KB

MD5
beae67e827c1c0edaa3c93af485bfcc5

SHA1
ccbbfabb2018cd3fa43ad03927bfb96c47536df1

SHA256
d47b3ddddc6aadd7d31c63f41c7a91c91e66cbeae4c02dac60a8e991112d70c5

SHA512
29b8d46c6f0c8ddb20cb90e0d7bd2f1a9d9970db9d9594f32b9997de708b0b1ae749ce043e73c77315e8801fd9ea239596e6b891ef4555535bac3fe00df04b92

Download Submit
C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog

Filesize
628B

MD5
789f18acca221d7c91dcb6b0fb1f145f

SHA1
204cc55cd64b6b630746f0d71218ecd8d6ff84ce

SHA256
a5ff0b9a9832b3f5957c9290f83552174b201aeb636964e061273f3a2d502b63

SHA512
eae74f326f7d71a228cae02e4455557ad5ca81e1e28a186bbc4797075d5c79bcb91b5e605ad1d82f3d27e16d0cf172835112ffced2dc84d15281c0185fa4fa62

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
331KB

MD5
8556afbb1722951ddc64e7642ee7ac9c

SHA1
f25a52b068eb3898dc1d018fd481af000ac9cc7d

SHA256
325870bc55b57f0f018c6a572cddec8b339540a0b337ea5efd97014e8c00ad10

SHA512
57d3c271752f6cd44edb43c2d79e7188b57561678057f05bcb145f23e2729715645f3c520eef8106221d7a981bb0f65b80e51a92f86c1f0de11932a92147a962

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
79a3316d934da771d43a0eb38b43b411

SHA1
f4df6d0423d63f7e0792d1d55af6b36a94c7449a

SHA256
2a96c5474735e92836286f33218d8338591c15b3441faf8672d3b687411f01af

SHA512
b597cc7018ad0a9695c6ffeb3370e3c04e9d35d7090de176aa40531a6720e2bd0cb9f1ab1a8304ed17e0987982028a91b2d8d5cf3229a62c5d0fcd4ab1c6b700

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
347KB

MD5
b8f08b5a671b1d91bc615a1be333d037

SHA1
2d17004a8635d9c349b43aec7996384cc7b17a95

SHA256
c5f855c4e6f7aac4547f4dfae4ec03b1d3ec51b18c69ae94d3402b27a32b562c

SHA512
c0f75d936196b65fb2eea75de1d97b9cd6d9a6777553bbcd706e1c3a29248543cc6aa2f47b46142155482613f9106e84e5b8036c0fa46893600272043fc20335

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
5KB

MD5
517330c5959e0ea014cfb2ddadfae354

SHA1
82b72327a6d7304443e543d8bfb98f0849899a49

SHA256
f30d03e6f8b8b8e1f4a1cb93507629e465b0dcc6c9e68982816d92b5819de6fd

SHA512
2e1f95f16ff2a45e492f03a7df8a96cc984ec8965746320bac255861609a4759ab82d6b99935235dddd3c11c7e7001e495c16650be406b75fca726488f603dff

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
c128d7b407d111298c6fd54b5d1d30dc

SHA1
f1b0a405660ddcef6a37155759f08b1bc50f27d3

SHA256
60bb746a55444c32b1dd73555e4ed4e3d21a792c818279d4952f302553393a9d

SHA512
17f4a4923166da9229bff98dacecb5d9824d435847c4d371d7eb441b6e836d36b92c187fba08666d3c26ce61eeeb7bd5ab675983d793ba9315c47d8d6ca8bce7

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
1.2MB

MD5
4191b45fa056ba6c0d0052154dadf951

SHA1
4dc6f7205cca3e1a5ada85c0628e7b2114fd2a80

SHA256
ea5e8a041306770f4b0a6ab579b19e2367f60ec7633834903a2a8621bf173216

SHA512
76e6494725ed90cff5425580962ef5bd01f099d16aaacf6161c96b83ea51256c80c11b2d4789661e8a6af447131decf2decfa5d19e19ba78236ab1934034e482

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config

Filesize
4KB

MD5
04be4fc4d204aaad225849c5ab422a95

SHA1
37ad9bf6c1fb129e6a5e44ddbf12c277d5021c91

SHA256
6f8a17b8c96e6c748ebea988c26f6bcaad138d1fe99b9f828cd9ff13ae6a1446

SHA512
4e3455a4693646cdab43aef34e67dd785fa90048390003fa798a5bfcde118abda09d8688214cb973d7bbdd7c6aefc87201dceda989010b28c5fffc5da00dfc26

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.1MB

MD5
d13bddae18c3ee69e044ccf845e92116

SHA1
31129f1e8074a4259f38641d4f74f02ca980ec60

SHA256
1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0

SHA512
70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\08b3ca48-da09-4f7d-b430-50977e145e54.tmp

Filesize
7KB

MD5
7d121b469ac072741dd45d5026402db5

SHA1
54b6cc8b4145d52d5cc6026bad36fd8fc76494e3

SHA256
531cc80afb77a656a6748c64732010c84daf4df86b184094cc826fa98aabf169

SHA512
33a8fa9c2cae2a6f12a7180f6c6aacfd33927c9b9be40bc2575a18791ef46d6368f8ab1b1403de0df6c6a3af27c91e69eb71624e0315e21fe1c6a2294f20c09a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7a261f53-25ed-4fed-8b93-a1fbae372ddf.tmp

Filesize
7KB

MD5
f2606ed4db507f55cf8d73db0ea11022

SHA1
5d795ab8b4694c1a3ec8bdbec2dd561cda7c56c6

SHA256
f2a90ac72f00dfece1cad96ec64ca3a99813273a6860131ea54ef2b2ea4a2096

SHA512
b040aedc686e21f7bdb8c3bbb4906c8d56210ecd91d76cf143fb85dd60d91947c113643e0ece731c45666c66a4381bc6bce6ac16c259e572d4fbd66fa5e7b0d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00007d

Filesize
19KB

MD5
870237c2b6be011684ca753277ae15fc

SHA1
19a2186ff4358f09afb3dff4330f57c2ae5efbd1

SHA256
17fc0d18ee50f297234ac524b495f01b4d4d34cd19b3316bcebbac930a522b3f

SHA512
d4c615d2b80dc1ad5509e7f528fc03f2d5286dbc55ebd0ebe573fc321a1c93e4a710e1c49a24c4d9858f1d0962913b20469b7aefbfd2332c5e69a66d8f271eb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000b6

Filesize
128KB

MD5
c701a3379e0ee8eb4ec50c92e54d96f6

SHA1
57f69a3ee54d7909ac232b09dca5a3e2a7c537fd

SHA256
2a009197f08fd37793b8673dbf9e2ecdcc8207cafa41573c0fbad56320214bf2

SHA512
0d52ceb8a06d20136ad010205c6eabe28704b7f6123d02257253014d52eaa0e1e03e25e3002c7eb215ec127f5a35f8d666d79bb57d9b26822609f584faac00ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000d1

Filesize
64KB

MD5
475b50689dfe5ac600b3de04ace088ea

SHA1
fbb328c285b985d98e436e1a2025dc2ef814f08d

SHA256
bb3580399452f7fc44aa591302242cc83e1a1c5daad646fcc2d1d3e81b9b7bc1

SHA512
55bef283c23fe00a25ab86c8e62df455236bb4a114d72da8986d0ab51b46567f195d35f94de1e133ae61e95d121de99938aa02e80abfd38c3c841fde9214c381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0000df

Filesize
128KB

MD5
05c14ecd84fabf065f580ff53bf8371f

SHA1
ef7fdaf1040ec79437880104030e162715ddedef

SHA256
2676ad1a9cc70fa79c23ebbd5bc5ed4073b1d9b8bb7245536be6d88b6b1d0f26

SHA512
455547bb2bfc1a8ba930025fbb313313142a27f08d5681bfaceaea46f8bc45d14e381493f30ba59faa97d3bb06243dce1b51483871cb88eb32f77abaa35b84e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000208

Filesize
21KB

MD5
2c704bdb3a4b76bf2d5c52f01e38990b

SHA1
142fa6ef9e3b3cdf07cd02076e738124384b8695

SHA256
d0be7f49583e35ded0eced77d09e3641b2fb6ee24c07dae84597052d77f5ab0c

SHA512
7043d9117e0bbbec68982d952b0cad00fa9fbe98c5532904d2aa92904174bc281246e3b2bc862540abf2698f9949731aea684ef1236bc579c9956773b51a9227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0d646e463b917717_0

Filesize
264B

MD5
24024ebec136466541fb241fb9053bf0

SHA1
001a37e27cd0537727d14a847d35f27ac885bf2c

SHA256
76e186b4bab3a6f95f786364d2fe8f99eb6f69e1b7c596b280b0e84df9cf27af

SHA512
da2274e472aded77b7b35b3937f1283138bc08c0a5e5c0027ab30161f27c26fdabeb1ff820b15db5363d6ac71bc552094f2dcd81dbc428a5be52de99c6af6cd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\29155fc0a15e3081_0

Filesize
9KB

MD5
318ca65c89568e1b16a1c28215e9f40f

SHA1
4b0f79ea812e18f87e1d0c37c16f2d724aa0fb79

SHA256
04c0eab53db6e8ac04cd89f3ea19f9fa01346ebcef9b17ec270117480adfc220

SHA512
a1a6b06ed9ecad1e5eb7a24039361a8c9303d3351f9b263a7242dbc26dfef8ee2b6c0b01c36cd09e615d578085a771b76e9bdc9cc60df984f3dae3a344a04000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\81c8f4a50e108b75_0

Filesize
295B

MD5
f833d9d2c7b40fc4ecd00a6d01838a04

SHA1
48e351fb106f89b0fdfad379f2c7076329707894

SHA256
eabbc67a94e3939de54ebdd5c66f69cdaead081968473f160adc6f2a837735ae

SHA512
e16409deeb36abf5cf072fdb78a19c0a67d396a6db481538875838d86ee9341fcd4282c6cba41e9c5c74600331d5de492cfec3236d773f9e3834ca764e1a97d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\9a2ed570fade7a24_0

Filesize
269B

MD5
13e0adb118ef4a3958428c29dc6fbee9

SHA1
83f610a651de0cc45b82d0255da335617a834f1b

SHA256
493d33c31cb7c99b28e2d6dc8858642f76e7bbd05b8c107815c353bd3ba19bc8

SHA512
041554f2782f1eaaded724fda66b6e44e35e73a26991b456db89fdd78b67ea8745c6504d79d190f2f824ac2e6be386123efff0cdb985436695ec823735aefb4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c10d1912eb744857_0

Filesize
298B

MD5
6d5f42262c565b4bfef59b0fce7558a4

SHA1
bbcc166106680d116b34b1ace91c750d662ddf4d

SHA256
c2c917346cd64539b57787d1ea4ba514016be3fbf6219dc008b486afa00f3ce8

SHA512
ac807310c3aec175bafe47ce80d17fa90802d69a6a22a2b17754406c005ead0e8fc8a55a37b6b8a43823e5ba6055ba4e3375644fe231e5c48b82a113f5354053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\de354b09abd8c116_0

Filesize
303B

MD5
11ffaae1398c3689d15421448d75dcf8

SHA1
546a79c9bfa4976f8e8614231665f178ebfbda5b

SHA256
b0396711bc6ec438ec5d4f5508d3f389538c586a8805db1e44ce8358c6204100

SHA512
5362faca94174af85e1cfe4c6f65786086baa3cf712c605f45b071468c9572a23ee723881b6ea4f92a6e7d68817298a087b5ceed90f6a4163df314632adae1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
9a4d9d7aa15dd4b0a33ebb8fd2833039

SHA1
ef45b7f78f640a84221ea462c576d80713853323

SHA256
b3bd27465a7a4fd3928af48302a80f5beaaf2d1a98a4e08a1d5e89597270dacd

SHA512
bd0848f3e6d1738710d368a0f34f1019864d96abe2c7baf2b02d9ff59a1a2fc7745ef23645d8bd3dde2acfbb9663dd5eda41820dbbb6666f31516eec1dc44d14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
41b8de188805d073fddab7a7b5c945f8

SHA1
016bbd80d03977ce17d1ef97a2103a7d48161343

SHA256
8c9cd557b767419c5afd339bcb5780b4b2334cdc98caa42f39f4fb431e854298

SHA512
841bfb137048f8707feccaefe79118474079040edb256d8180063ae970cb821cb15e75b87d145d21a4551b5e8240737498b6fe11f809750e4254eed28a1a8755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
28346ee1e1351f256f43ec056406f031

SHA1
2dd21b35c78d5587529e92f2307a2c2f3cb3e440

SHA256
e906b9f221c0ae71c16bd71e0235e628489946bf4ac1b1b7601a01123efa574c

SHA512
f13c63e65f314a594df0f11078ca466cd37fb87e098fedfb79dfae692f1a3105c6f7ad4c2cfb883411864dfe10659623750fa62a9467d75d8e3fe3112dcdd9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
f7c779311f4c40e1362d2ec0a49bd760

SHA1
87bb729959b9b6095acc5c79a25e22231e6c6c9b

SHA256
3ff672e5ad8d385efb11a6a944014bdd118d5825b59e232323c006d8c794a5c5

SHA512
6004d3f7d80ab1ef99043f73962561ee35561a9f8f26d064e6e00870d5cb351363bdd125503c5554e4a5788b49c81dae7dfa99ec506dda2e2f495bcae36df6bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
8c4a3d8d5bb8962ba85e926e1d5b2c25

SHA1
9fd2b269d313b0bb7f0552d03fc35d2d2c8e3c3c

SHA256
91ce07f8cf98a95ebe1875d122ffceb5bc292fbf31faea2ece982863d33d86a7

SHA512
9ecfb08be4fecd9707af3f9d4a578a58f2bb6065f17904d92f95d2e48d239366f5f1bd9b2dd0464436d25d138561b5b8a48883f5d45b734912034b11a495a881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a99305a0233f6b6dea3659b22e6d2bbf

SHA1
fe4f21c66a5ce41ad8edd022f01595ccc9c37d23

SHA256
54bee27e5a8d0869b1660c0b2bdec6e710f3a04c98dc965d65694ace3703209c

SHA512
d85cf04ff38e7a38527004b93b97c6c7c0f3a97b0babea4fc4a3f0076cda0804bf85fee477c059e7c5e6cbe7712bcaf43b5c4610ef77dd114a7178554c8f3595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9435ef95c86ca15c078eec45ecafd91b

SHA1
35db3858105d6ca67285e9db61b11f1c40f78620

SHA256
75384211e9f1495c0c1c5b00170c927d9b0436a9789a9149f0f354784af4936a

SHA512
e69e15ca59633cbeb1c6aa09e5bd278b941a7e142098042fb2e205679a038bf7dbb6c0e59f3f40cd71d4f6b3853a47cd7545436cee6273de8fb8193f39d01747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
f7c325f32d219f69dc1b86c643f74046

SHA1
800bdf6374072b6fe46e1d974ddb791273cde7c3

SHA256
df560d041db38a295649ee0531757f4002bb7556c9fa462ef46d6ad4dafe258e

SHA512
9cfe094f5ff6a347b424a377fec7845ced61c01735e2c0706d18fa6ddf2b0ea55953b2e0832ba9c9f1db447419c4d07e20afc9b74e50287f5b4bedd4cf7012a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
11bb45b6459fc0e2af63000d4dca7b0f

SHA1
e9726f25abfe9af2a892a1fa9762031300426702

SHA256
448813df80e5ce8afd9cff64b189230c580b93aaa90b7ccc0a873cb48b79618b

SHA512
8079a9a7e59baeff9adb34d3cab122316ebe12aee3fdda7b1fef827ac28fba4243a81032d27f78972d1fa501f59b8b5eec0084f717fe41ef41c4b3028c9ff2f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_ad2f633d77e61f6c6dcf8b49909d53b2.safeframe.googlesyndication.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5694423e-d35c-451b-95ab-c409d4a02812.tmp

Filesize
7KB

MD5
bc2e9566d802d54af5ce97ab53dde82f

SHA1
b5691d566809b0571ebc824884684bcf5a92824f

SHA256
cc04f3272bace0267b7c8a10b14c963f0bd970626755f9f1728b3384ac36fcc2

SHA512
c1db4e3e24d3cf65c2f6d9fb88e3a6242da5d3130d233fce03e0172bc65abbfb4c640ec14623a1e0a68262d85a0dc82426923947de1bcd365f27172f539b59a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9363f21f9e00a7be5b223ba5eaa1c86d

SHA1
347cd0920743d54475691feb15a07ed5e22ca5ac

SHA256
461aff576cf6b675ff8cf8397297cccc0068a9a78fe6a32f197f4734c25b120f

SHA512
532d196557b00fc3382a7c192e49ac29baf5c85d1244a54241e46ff09046b3c83169aa5522f8b36d308063d501a9e0a2e49a7fef5d5af0ad07a134c9729e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
df2c2db03a70773668f8c4010df6e59c

SHA1
94a4613fecd8b7def3812b5bac55c410f3403456

SHA256
22ca8015eff053ba688bbde972b710ecbd3a6add8f446e43c000009dfa89d9bf

SHA512
6fbee1a690cd5796f933108d2b85d5ba9a21c1b6f04d3da705c7e0ec9cc1cb3f77a5e701a55c1e57168fddbfcd9b808bd3366bc0fcacb601acb64c6349686096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
55c0a5d5e637e57f2ded19a81a3c144f

SHA1
a366538dc08512ccdf2a91c2a734a0ee52a5b4ad

SHA256
34bbd7c1b5145e69ea31ad930cddc29fc3d40119d764a6fc62e01fe5cdeeff45

SHA512
e767f34c788833f80282d88a5b98dbcec9ba89a335760e5c223f1e30712cb28de78c18eb3336fe407486b446ebdbc0da87bbf24fe581931d385f8780b261f6fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
aa58231f88d710621e571d57cbe093f9

SHA1
3484d65ef8e34a359e7cd16a4f648ad0cb6f4104

SHA256
ea033f2b9e4f10d1bbdf3348d216d148706b8cf3dd461c0ce436cfaed43b9116

SHA512
8a50532ec56c57312e3341f1e00be59d9cefac8b6b61c15841ead92708b4201f0438963490594d892787731ff5bc3ce3800e995a5171aaac5bad5aef083c1e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
23KB

MD5
2d58d3b727c63d22e8a261d013346354

SHA1
7c5251ea7210320ef20fc678d188ec5b0c629f83

SHA256
23fd4d35f0dc2a9441ea324a0d36e8c4a6fef8dcecdfb2b531a8e1c913fa3005

SHA512
441e3e6270a931d74876d2ab309947b892700c4d81d1800e4117687821b886199e08057ef8fe42bfec83b7036cb38ca5958304796f4a6f33dd2be16badc4ff0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
26KB

MD5
afb5b02763888838becec25058582da8

SHA1
1b8121b454a03e25e51bc954cfad0c8f525769a4

SHA256
efc746ada5bac68d6204d4f48277045117c648dbef49946c2cd6ac4b3b6ddece

SHA512
c44b882df1a3760372233d913dfac5b9466b7882aa76ace91b9a6d5a1dbd20958f3fc69285b91388226914a2794ce2d8f4ac10f847886f306944e293a9294b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
22KB

MD5
3e90f8f15a323b429b2399623b74b959

SHA1
cb426b7069ef50ae2a51af881085c7da1e96c6b2

SHA256
278661138c0b519a4e86b105b7f3d57cd9367ad3519601c53166b3e52a75db29

SHA512
384f7c8dadc6749c192c026c03218ce246bf0ce19237ff22b9cba18f12811a04fb18212656107ee3b8c21b1ee252bc388037cc757201805092d69a5ef16ce1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ca6f7f8ab881f56949e4dbef4c18c50b

SHA1
8ed86648a855cf759154faa03d2f79a1b2326fd6

SHA256
568066998f48585b5e064a37e67ce01503a1e1a9650f223000e9f6a69668d088

SHA512
ac18ca69a90b606eccb266e6b6478bd732e5dd70711ffc0f0adb88b116ca84b7aeb89e67d6bd216fa58130405ce26f27b39b03368e1f43f83f2ee5dda09d98fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a9fa084a190800342f50d69c88435aa4

SHA1
c1d75f1eafa029f169ca5bd1a089ca48c92b8885

SHA256
60d0872f2f02288d5149eef98c90034dd2ea717fe94cd58eacbe4a94cbc66cf5

SHA512
79a5db62833466156d54d0ae43e285a97a9a441fc9276dc09a541aaa211112c0f092fbe664bb2f352762f8cc6d6fb60f61d32d881344cc7ccb87b018ef02c42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
49882400238dd4d8d37a7ba9d25b85f3

SHA1
7f4493242b9a6175b0d6ca63f8d2c73c1020e837

SHA256
5ef6430dada9bcbd80db85541b98fe841d759155df187aeea5d784050222f476

SHA512
2767731e26bafae5021bab56e17e71b45e0a5d976523f9963b6587924b996aafdb41ad458501f1c70d4e06eec7d090ee3f040657320581f5a53c85e35698d0a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1230dd338065afb2fdac49dd36dfa123

SHA1
3089bc186021ecb540dc807f3ff927d25186372a

SHA256
380a0391e20ec4fa95fa38ad3e190488e4cae06b70f9cc1186caf9636987d453

SHA512
8d54fc28a29db7d7712812b7462f293cad2767e30307ecb2c557664e051ed5a58db7674718846f7662f16ad56d8f2f4994ef1f41f6bcb056862e851dbf527f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
672dba44c640e29a15b5535c3dbe1fbb

SHA1
5d823640c9342dcf56887b65bf7e3fe8551fb1da

SHA256
56ef13f6971f952b0b17c54b880a96ed671127566982e3c91c4aea5fcd832d41

SHA512
04cc5a312d8d30790872dace8ae6c94b3bc57324b71823ff91e2be34d98306539de5717613efadb9fc4f15bd337cd55ce08d0bc2abaef8f53293b139ffe5feae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c2c80523565c3ba49384cd1e701d8291

SHA1
f3cfdb3220527db8dde5399678efb4031eaf41b6

SHA256
e2bf27eb0a2ebe753fca64bb3fb7edb254718f1ae8f0702370746cc4a747247c

SHA512
e77a9eadb3904639be2e7333f6c0ad5785f60a0c63be864f4e7456cce0b679ca058c0abbe6e63a206b90cae3715cd6dc3560155e3bae6195e2bbd99ed7ebf480

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
dde2f9b2d8d9299bf4c1e2b68f2fda45

SHA1
fd97adb53dfe383ca649d211873819dd0610d88b

SHA256
71a78df63edab7fe1b21007ec677886b84fe2436966f192bb0aebd1dcd887c94

SHA512
3720928c218d86e6ef85f5c56a09cc938b87f65f86844d8f7819f2437346320c58df6c31116ffccbdf0f4c5412a50ea51accc8f0d249ae92986879b994cd6295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
395ce366311f3d3cc1fdc92d65510c21

SHA1
384e1ae9fc5470d4391e4b246a697617962037b2

SHA256
7eb2ee5b30a0821145378a28fd7f8e2235a7893ccb71e540ac720ffac0d2167b

SHA512
002aff1dcf4890dc7d7ff083d71a4915021deb8b048f612a18de814f17e8895cf6f7986d4c9e2ea2510d6a0ca3481c494bbfec8dfdf90808091fbc57f63c45de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
3a39acd2e2e4c4534a13324be26c8b34

SHA1
c5f9a80021b899306ef28693e66251676d20efd4

SHA256
78252ae8fa3678fcb1a1fb294d5ed0f4cdf368218de027da0da26a278afcfe6d

SHA512
f24d0ba1573d0566d97fe0eedf3905e59aa901bed23a9e9f2a82084572ca87d3c5503c9c4b5ba90b2e2f73036d8eda16670b277d91f80dd4723a9f06c75f12ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
23ff1099bb66dc273e7943148e824ec4

SHA1
f98bf877133ab2f9f9f413e7bf56fac8bfbbe050

SHA256
9c582fb55188ee63400610f70b03732d356eb0580dcf164798b45be502feac69

SHA512
a5865b227995046fcbab089758cbbfcd2aeac86b83eaf334d52c1c08378ea8240b24a4286fb2c6b5f7c4696397cf97d53730427366146e3d64591509788d75a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
c10019cbdb4e9f55933902029acd17b9

SHA1
32aa9f832d3926558bd369d94a0910544bb4aad7

SHA256
ef2628bbae965dcaa18ed55c861ad92bcf149f429cf54c2d24aa8580bfc0a60a

SHA512
84cc1f811d0f7803046f722e90f1cc92249fc14b5234abc6c3433883df68a2b1f651a781cf1c02dcacbda7c48baf340bc5b10981ad2f4a86530a2587e682ddd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
fe2b9b2e3bb7e01b21315c3601c0ce1f

SHA1
1e67f3fa968cf20c06d3b567389bc6758fe20e82

SHA256
37a57afa4b17801634034ae6237b5877a282263804dfeea9aa081e8b48bf73c4

SHA512
212089f78b61fae251ea24a825414bda7f358113107321015189a579ff98aa7dc562e039ac101e0bda1347d6bfc04b4618fce17764465a345006358133db0f25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
75e91a2557f6df4c5532cd16b599a7ba

SHA1
5b322ee3b6c46d679a470765c9f41da90b1c422c

SHA256
4395fa3d074cd3308a5c7e8172f48617cabfea3784a65f9019e8bfe5027200a4

SHA512
1ccf30b6380f187414e7a5c3c5a409b6c0e65fdb9a7100b94edb294c7556d0c81cee13327c54f10bedeb4477123be0dde7d30e1a0af2725bc4ce02df246fe2df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
eefbf572c491205ecd0837765c1fdf5b

SHA1
36af87d347e202b5709dc8967900f68dbfdff21f

SHA256
2a39953aa041e6339bdfc83ab0af9f8c10735b45656f54e6c7893fb7693956b1

SHA512
0faea1969551e8d7e57e72266fac4a8efc46141c930c5b30e74b689036f00f45f733cefac1aac0f9a3f54e0c0b89abc539dd7f3caa4de034534bb93e6161c7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
4a74b2b254b1276ab7cf8d9d3a5df4da

SHA1
5b9937178e3ccb3ae4f1aee628e98879620f815d

SHA256
bf878861b95687a9d9b802a31303b9b69f0de50dc7de6ccc8951290823285aa1

SHA512
381b2901783f00db6406a237e3a55110d1a2e2be689b16ed5ec5c46907e1d234fcc000716457de4807c42bab5d0f3d549694b5f330d1f5fdcadd6f60fd792d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
84a528cb02cd55f30f0d765a7274ea93

SHA1
5a39bc1a6129116b68fed1c11ee1d5a260bf87af

SHA256
e3c204a22fca54f86059019e980ccd8d5ba3d26c7ff83f9547266f2201fb7c22

SHA512
e4360a73a4febe0582924e633a293d8e0243932f872c798836d52ea1a3f1895674af28a3e49cf1ab14a28f39effffe7650c871ba6da7963d67bd64af01ef3f0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
55cccd19f358ccd70c9a84af343e279f

SHA1
b3e44b1ab71931f3ae49ee0bc9ee4dd644edfb07

SHA256
51f774f16bb6b68707f27f6f19d9adfc628524a9450f8095702bb999c2b74a69

SHA512
6b97007342e432e3a605dc62a33ff93b4ce4f949f0f7109e0d39d5da3e26f33b76c4a6cab0b81751eee3b35cc7e522fd4cdf53d32fdef5e23633d0fe0e7a0cbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
68bff9a4142682e5d275efb9ff3f4715

SHA1
3068092bde6075d1dc173654c0c4629707b698cb

SHA256
6072fb5f4a3f7c734f889ab1de111f834b1607490acecd8000ced3d1d07221d1

SHA512
a2f173487642925f47bfa6024973bdad161d273a6e0561a5e0ccd0a99972fb6da265948551641fc88f3cacc922be412af458e95cd04e9e8e96cd233ba6ac7d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
5b63aa8ad7c7ee7829e9252bbde6f867

SHA1
d0c651de4e3d971633e9b5dc80aff7bb29068a69

SHA256
ebbdefabdf436a05b6fe66fb752db8abbde4ee9ec1155dc49eccd1b04933111d

SHA512
a7c52d4e4c54336324ff2cb52ff9bc468c8d960935939c404db27e8aecc6a90079cb81be60ead288ab53e729d151c9a0afc603087db730933aac3d41e8cb1981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
526db80e43d793054399f0f074b12bbd

SHA1
d7e7659d3b36036617dc6c7c65bafc905e211dd6

SHA256
b033e5c04287d61d8980627c17a749067731eb4228e6e3b40f611b8311958995

SHA512
1204ed0cfabff4e3732ffd17300ddd3ae6d4248dde3fa793b4d3525336c49617f810c78f6da02058799a6f79ad449666405d0d306a3c1da709b17b0c09280ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
a44806727ca7ec5ed235637ac2a70a5c

SHA1
017634730666d40e4a39555b61fd8543103fff16

SHA256
bd8649a48fb68f1072e14b6cb5eb4e3da28b1990fcf0bfc43050ce4c5bdf55f0

SHA512
e0acdf50a11b04a5cb691a2d8f6f5465546319053ed530bf7f0608108becdd263de43705acb20cc3724d3fc0cc43e064a51c42548a5f4c0be4789a176718f452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
2256ed356988f21ad831dd0574814c38

SHA1
eb185641a4173b03040d0b68d5975f030ae80b05

SHA256
f8a433de355f5f7d426d2e8dfb6ff04d2250cbe533e77903e2f14fd272661d6a

SHA512
f454fc0214c89e890bf76184f82759b1cbfd339d0d542ed9108bc3bab0e9162bd6ddcc1023684b5b1ed6ddf5518d1b44e1c29ed08ab61a14a2498672375dd58e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
2c7f4b21ed8e7489c57cb7cfe1f9d5f8

SHA1
aa89e4c6fc0986d2eccd6ba7967a54b063ff6147

SHA256
84d14e0a9f238ddb72b6cb48e1fcea3a532c87379dcc3fad6b6c703cd4c73401

SHA512
9930be9dffe338a8967bfd61a8cf366470215761e75181dbb9a6eaa612c78143adfd1e3c6a398aa94f6fe98fff68546678c1eab3c6c2b935c34513779d59e961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f0d116626311b2ae2ae95a4cb3076eef

SHA1
156b2f20ba0c8e54df214cdc4c9d5f03e8f2f192

SHA256
9165a9667ac798ad8c46a8e966a8751fd0a0cac8824b837f7c2f14c10a404a8a

SHA512
134ac7fe9850235b6e3a7de3e1ee8eeea35aaf858632ceb101fc97200e1d9946be7a05486d93a6361b5eedaae5dc141cd62c9ee059a0a635f834339fe559ed5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a06e7aa0e287752af1ef44fd47a7a479

SHA1
2e0c3f5d67a88b0e8f2eb94cba7c257c26282356

SHA256
4af018cc90c0d1506cf7d14b78ab38f9cda4d596bf00acefea9ae2d3c5728a45

SHA512
0281cfd89029e07e785f7564e4bb04764a71c3c8af0d9886f6431826c871aaac3c50b07dc100453cef7848ab881f9191547b29a7bad6fb63952bf36b6bdd0355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fff5499672f61d3c03c9f341836a3357

SHA1
401ba623b41e25665b607b433fa9e2774f99af8f

SHA256
c3c6e60bee4728318eacd8d533a53065eb4ec3fdf58d63d5e7f9d983789a91d7

SHA512
8710320d7bea5b0f75428b8abbad72a1970a9dd985277d059312a4c4a782556aa84680dae23c814b6ed892d1d89286def3a48ea05a79d7754114c12936f953e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f3bb536edfd244ff6bff2122849f7762

SHA1
408cac13dc9798a73ae758a4174422c632158db9

SHA256
c1f9ba8c71a5afa1c7dbca075f10e833cccb6c09115dafeaf76d5f2605c730b9

SHA512
041924c8231c51918aa4c7ad5e200668b15589de77e6e724307d1a8d408df4c08b6def3c92e46c031819c979d08d02a382e70dd414308d3a065e5d4d0304a8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b013efc21080e8af32f23cfe5be806fe

SHA1
8952e55929c7b2ba8bfa23c5b399e58e2b3ccd48

SHA256
053facc8207fb853805bc4aa5f9a5c39ffe94e6bb60a53c0cc96c820c3e5d2ac

SHA512
76ef97d0ae81baa38a32637c27334bd4870d3ed2ba899cd6f1b53a91a53bcc4380b486dc0971c358dd36e5a5a91b01f5904b8819f36c4234bc0c8a85e94ebf26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e50ba195c69db037eecb9b7ad9c8a3d5

SHA1
06893f551112a7d914fd9bacbb0b7b93d8f837e8

SHA256
caad07a88e35b49d427292413fdb7e317dbaa74fb3a85de4dbf5d29f11b3b3a0

SHA512
c0c9b0dd2871357ac481d8092b48788e6c16e45f99afbb1739b3791a8180bb0d4c01a3941550990e9af5d581274eac5c01c79e0d90e23defbb8425f4f6a3e6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1d78452601ed278e302125ff909282e3

SHA1
9612b52d7519fef01fae78240b8436b4e6e05111

SHA256
cefd6b43d58e3aaedd8a350ed2658b441d096fef27faa4d3f6e0eece79480a4e

SHA512
a844aa1f5fef9731f4a6102a85ccd23682b6cb6418146c9cd274fb8220d0c9b52fbe6334f6706ee257439208056147c79fd96453f56fd4c066554d94da2cc578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cf26a4bfc3bfd698896bd74f77fe166a

SHA1
83e42206982177553929dc9944e6e3c94e316022

SHA256
1489af3168827708f889a3de01703d9b9a0d8b0f77dab78452a47b828cce367f

SHA512
ce512990444b8561c0dc626efb80c73b84cf2536c7639163f2c1fa44b9c971dc1016d4e9b5ac414cbe4500fc27c501cec0b1cef48c754d1c26e02bf5cde8da50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5d811c0d5ad32a216908a56cd587713f

SHA1
268d9ed70f0afe5144f3c55be51cf6de60fb5605

SHA256
2e09b16c8114bffaeb8809e9c3831b8e4345bf37764b88374f2a1ba1e59fa3e3

SHA512
3342730d79145df14735fd79ed5a56bf0fb28d014f25652eadf49e0859bca46f47f2dcdfb5ef0a943272d35ed2b2f65ac927732d4f9a8bbec7531006e6650735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
18e3c5aceab294ddbcc1a5c7d3ba0f5f

SHA1
995e717b6b8850141a68e1517d3790a94617c930

SHA256
d292e08dacc3093eb568d89742125cb71ede5d227d6520a6be5b24975258c75f

SHA512
a45f99f9ab91849ca9960a4559c532186be3dad1d526d32ee264f06efc545f3a4adf76d4f0946896d9a8f3ff9f2f9b79138b33e74d03ed1a1524e1a6f03b513f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b8ee783a-ebe7-4648-b130-573e5902f036.tmp

Filesize
7KB

MD5
2dc73ffdb9d43cc0a1cdb7cda948abf4

SHA1
abf1fb284cc0eaffe0c8d187c5245955713bbc4b

SHA256
620cb3cb90d94e9d1f91a32b1484d6ead2850f9409f9e0473eae76aefc11b558

SHA512
97ea3140dbba7c46e29cc06cd4cd8d7bc8fcd047dc24093bf47c7cecf3de13dad8a6609208bcf1560dac0937ed0c09ad75d9cd52745681bc2dc59af37b50e2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f637a078-fe81-46d7-8771-d6fd70204804.tmp

Filesize
7KB

MD5
72d093406fc9648b2ddef41f6db92a3b

SHA1
d6ba50d899d72f221c32a182f233d4e428f435c3

SHA256
10545f7be44696f3a53a53c66765b1b68b20d6bb7f389014fac3745daafa7ab9

SHA512
bb346308872506b881f343894a2231b2a985407f1082b783bc668af76d91fc2f5f938304909a7d94f6225078fdda9d56fbc5629b45c45e192c01fd09b24763a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
aaafe73511cc78be50af5cb48a28b829

SHA1
a138e425c04ccf1b2753eacb41dbe340d8f3eb51

SHA256
3baa3f3e7c31941a650998518df807fc51ee510ea63b43d0a62bd2875b86a21b

SHA512
be82e66bb78bb715c72299ba3655bd489bfca8944a3ed346a6983c5e36e29dde8973f457c087b0ac74b0b67a4c8c51d01a830d625d621667bb602e3759998e4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a827c4b5231fea5ab3c7bc283f9f692f

SHA1
77606b2eea7a9bff69b933d8b760d60e64d49156

SHA256
3dd75fb94df86ba81ec0c2d5286901484b9fd9be56b5756a04394985068ecea0

SHA512
98ad2061390ddf3058e60b02f709d57296a79dce41a8302d1ab392a69b59e626ffba6f9c4fd83424dae165b604436837a27f2ef46bf939a103b99675d1296cab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
2321e09db2ae02cb7e2c95d0c624949a

SHA1
5ff71809e7cf072f8b57b15938fba21e10a3e197

SHA256
daa5b42ca709a968a1a906c8f96db86e6f1b75fa78d9015adbabe249cb77ee87

SHA512
66a995f96e006343c372ea05519c99f3ac1a8ba7f023b8bfbe79ae14973b7fb273f45626ccbf3e0ded48ab10e85baa5549bf4427d86571687c1fd87c4a1cbdee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
6f35c3d931fa04381731e4e56f851502

SHA1
59c7839b2ba0656446b8c810c7b2c5a8d7a4494d

SHA256
c67836d3a4607239c2793521e8389523757be0ce307dba670d8b6501cb78415b

SHA512
7159e350a0a8f2c747c09c18d1f9bc2f76b63fc4aa78f29d5b8507bdcb031103c7aed1fcd77be28c9f9e2cea72a2593440667770f56843518364c7685bf61465

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
11a343cae7749ef8cc1f0577cde16fe8

SHA1
bec930f7032eb148528feb3e11cdaf3c8003455f

SHA256
6de35d23892d06941f076856bf8612e49bb31972f61992f9ea448dacbb821358

SHA512
7323a64556e767a24bcc9d57eeb8827151d4a797d1de044ffd96fac1e418163f924b9961b8d13b0360c1057c07e971be97217f8c9469795b58ee1327d736b3e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
697257ac33be77adef57a1e05e539bd1

SHA1
17f9231e1a04e11e9c4d1788ac022e74fae6b49e

SHA256
c8330f48691ad14ce1f20cdb0523dcb3d070a3b4b7bc6429ba30138501b0ce2d

SHA512
5785932a00cb7e0ebc4c46b8f5f8d8a0d4f2f0991c9b1a26521da54b68216ca87ee4655d280b5ae9156621f8f2b34ee0e1f828ab8ca2c17a89a80e68ed78b2f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
3612ac4eff41b3db6c6f24418fa1a798

SHA1
6934f91f9ea7ff59c65393ee4950da05db6f7144

SHA256
905fb4ee87576e366a31419102e1fcaf2c840e16207ff02258fafbf20cb57443

SHA512
23424cc7e2715225f02345b1521437e60e242b27d72f04bcc70e803d61581cf63c4c2a890fb04a444317715086c7a88d29f8a69a43fa00af7e828c0383ed59c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
761e40a7df27d10a4a73bd2cc7d10a95

SHA1
148c94d726958007be461bd7427f1b1fe6c2cc75

SHA256
a18581f5ddfa9c607ae8f43781b8230cd5d49cebb7738aa3ea43c91e50dacc39

SHA512
5dbbc5da75661def471c23d151653f767c7a41cb38dea0a62f5a7a37999c8c346ec7dfe67726faed8344ac3b7edf348ed28891f07a5583c069c400c04168225f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
f029701a746efb640341abb7c45001c4

SHA1
b09aed6ca19391b6822d8f79fd8b9cd334e9848d

SHA256
0e209f65617d055fa1614c7213139c247004bf04de29d2e63758b5cc7fddc7d9

SHA512
aa6d2170983beeb794ae1b1cc9691fcb46bbbc5f722126436cec7269f501555215ec4c14610a977d3a7b8db0596404e7ece297fa20805c65949c2aca712788c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
c17639fd1408417f4b6d19a1bb32e7ac

SHA1
f5921cb214b80f016093d3b3eb07e1e6b873b008

SHA256
2c8b521414d9557a383490d9b3c6db28c1ad7fe2a63db77c0c3cbedda9757de0

SHA512
8a1c404dd8699ac85214f4a9def9b018a8b8455b6b2304ed00c956db711d74545d3e7095d91236350e992caf5239ee0be4a53da88d3685c40f909324e1ac360f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f807.TMP

Filesize
98KB

MD5
d1fab871c8d8b1a41b020a4621a3f166

SHA1
558f2a61737b482cd8b029f47e599a61c4f21008

SHA256
adea1032e3ee392d4fea1379135b8f76bf13d9ba71c767dbb796fc875f37a842

SHA512
20379e91802ee5e54a2493793ec0f7b58076cc2db2d869d5ae216d8c89a379c54ad285a0a264a865dc40d62339a615f22026a54b907c69156935f7b079aa1e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f16e84a-41b2-4293-8413-3642ff560aa5.tmp.ico

Filesize
278KB

MD5
ce47ffa45262e16ea4b64f800985c003

SHA1
cb85f6ddda1e857eff6fda7745bb27b68752fc0e

SHA256
d7c1f9c02798c362f09e66876ab6fc098f59e85b29125f0ef86080c27b56b919

SHA512
49255af3513a582c6b330af4bbe8b00bbda49289935eafa580992c84ecd0dfcfffdfa5ce903e5446c1698c4cffdbb714830d214367169903921840d8ca7ffc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine Symbols\structures.sqlite

Filesize
10KB

MD5
551f7a35dec7a2436efa7181df0f5db4

SHA1
38eea293ab5906fead7df8351863fd75171f864e

SHA256
9f5c71448b5a562560e138ba873e4d827da45c83745e570fd40df43d4bec56d6

SHA512
ce47d79874f71fed3b9930717a8bd2b827dcd6f8cd1d1de7e1b913d69c9dfc050b6314538a0aef88a3f89adc78ce1e5c55a8661395e1af373de34c296093271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{101DE453-68DF-4416-87AF-CAA533DD8BE5}\ADDRESSES.TMP

Filesize
3.4MB

MD5
ea0eb76e2df98cfc7a19f29228a0cb4b

SHA1
0f18f8bfe0ac5e097040a520a0c40e538fa8388c

SHA256
f7850167ce6a8c0ce1241ddcfcc8315e569243f69a09bd12a5d38c0d07ac3da7

SHA512
fac91f1a4fdc066bc782e2c448a2d2c606ca637ef0646142ed872e2e75f7fcda06297885c7ca70401d4d5cdd1822c94ac8677e78e44a48154821c506c58549c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{101DE453-68DF-4416-87AF-CAA533DD8BE5}\MEMORY.TMP

Filesize
1.7MB

MD5
866783a292c8072ef2d3c14fa18ac75a

SHA1
7a721d318f73590a693dd0909659b3a0737ae602

SHA256
d0e45a3404715679f1db3914b815ad78230db3b7d2630338184288ae321c46da

SHA512
73b63a371698c53d258d13b3916c0c519e975e809c65e43dc13637332310fc9be8680e082467585c1bb1b2ee77398c1d342d002f553e1798a9004bb4d7e84121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{2DB18C7C-6294-4A10-9597-1C9AA8AA3374}\ADDRESSES-1068.TMP

Filesize
7B

MD5
ecdf0684a14d5b747c245d659b5f33b1

SHA1
fee7035409106461ca06d14236db42543aa042ee

SHA256
631bdc5422d1339287bf86b7a204f35956f676d473b27879f304d608238c318d

SHA512
e4cdd4b29e1a8cb4d1161a019a304122df5299d62001c3a03426d89b9b7f1fe69e3c3adff0bd036f333490d8673081da50b3165d44c4978e00980b4df7aa920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{3A11C3B0-06D2-45A6-98FE-7C8C241A0E35}\ADDRESSES.TMP

Filesize
3.5MB

MD5
39085e141a3803c830dfceeb1f434c4c

SHA1
76f15ae7348f0ac860f389f570550cb7dc5fdb1e

SHA256
29ed17e00ea8fa080e080606c2f7bb361f78d39f511a60d94cae3e6babc6b288

SHA512
684bcd8782cb66c57150840d0aa6beeb4744efa3764e12c81827270e4b5bbc98833855a03d327f0951ae04759932edfa6c223e6033f2218e9a57c9391260a910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{3A11C3B0-06D2-45A6-98FE-7C8C241A0E35}\MEMORY.TMP

Filesize
1.7MB

MD5
b17b6d4d57cd5956be18ade1595aa154

SHA1
d29d9ab787b7f4986ba82c931e716e760985d28b

SHA256
ebe260284399a428ba39fcbc90858ef6a31d2e132a1f191c6228f50e6ff405f7

SHA512
a2e64fadde0b72a52e174b3d71acd309b5c7e684e987332da71b5c53a99e435482e28d1f583042903b2156024886bbef57e312bd4de49fbfc151c40a1cf929f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{53A2EC8B-F1F4-494A-A3CB-8A33ABFD21DF}\ADDRESSES.TMP

Filesize
3.4MB

MD5
1a6f39e0fc36f356f4ff51dece32bfe2

SHA1
9d35f07e10f614fe1cdf859c8976842556a70061

SHA256
1773b3c50a2fe7abaed012c426953faca86dcb983645d68a74ffa79e1986f9cb

SHA512
74964309d0df942b4d445fb2c03ea389071fa7cd4914dc3eb102e868416242d73782c78715f771ca3c154f83d38ad9660f6972be0da63db781dc623f714d3ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{53A2EC8B-F1F4-494A-A3CB-8A33ABFD21DF}\ADDRESSES.TMP

Filesize
3.3MB

MD5
05536eda21c9a1650fc50aa687db3b22

SHA1
82d984c738babd434e3f202c7aafd91fc111f21c

SHA256
16d9e3ece8ad9221a111f25d25cbb5840e0255c52d0df06a3a1a6b39418f96ed

SHA512
f686ca98ebaddcf8a24030687de12595d6d44741a1f51909440294f93c636a1d3987adeba21319cdbbe6146ec3d47acc86ca7c2bbdf657ff8b985e5bd7c0ff35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{53A2EC8B-F1F4-494A-A3CB-8A33ABFD21DF}\MEMORY.TMP

Filesize
1.7MB

MD5
96e00a8cf9b67214cd89f92244234363

SHA1
a8c1ba0f7db319561d70dbe0759228298e8d0c80

SHA256
5fdacb6e8adac92793eccfe42098f0e2a3684f3b057d2fe3097e144e300aeb59

SHA512
9a4ef5d340da31d589a8628d07339475684cac047474ad59966ee38d48c13563113ace9db2603d8cfc86cc3fdc00354204baa5f482660bdc6fd4d7dcb20ca60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{53A2EC8B-F1F4-494A-A3CB-8A33ABFD21DF}\MEMORY.TMP

Filesize
1.7MB

MD5
e1f899a8f26dc0ea3e0823740cef7b9b

SHA1
b2381035f2968e2654927e49e87c81a068518862

SHA256
cf183eaa120de7c406d89614f718105736bf089dd5ee508a8455a89b50b3feb4

SHA512
97a3d966be5240d6b1c7861b21f243c3b556a6af6d2b9e58f1bdf82135c145f1e824364b71715730b7bfeff0c82e7f32c2871fb20ef7400498e8694b2cb0bb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{53A2EC8B-F1F4-494A-A3CB-8A33ABFD21DF}\MEMORY.TMP

Filesize
1.7MB

MD5
20148fd440ef5baa1ff1fb1d952ad35f

SHA1
874dbeaace10dec38b937554a8861d2dd52b086f

SHA256
a84ef5bd4d2c39cd06df6268cc9cf9e4d1aef13a33a278b3848f96f1fb3a6a06

SHA512
78fef0c87c63e16f4a9f97117196a7583b3bb96719c8de1b931415a108ed62fa2066a7d5e5a521ac750e8c0da6182993495365aa2dd9d92a5dcb8f31812135f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{81B7B8C8-7D0E-4A81-BF11-AC467561B57D}\ADDRESSES.TMP

Filesize
3.3MB

MD5
bd121e2d47884078dbee16b0184a7953

SHA1
f7a2e1ff6669d9a8d24adc99a9c8077f3b99ede3

SHA256
4f3af6fbbc4765086023463995dbd59fac9308990cefef0cad9e4f57644ceb89

SHA512
1b2e05b4e34ae6662aea273b9e206d1cebfd356f18cd84224dfd07e7e11c686e36b7f68db8d1112a087fc908395ff8619ba7e6f2c1fd75d009e076f5f8b91b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{81B7B8C8-7D0E-4A81-BF11-AC467561B57D}\MEMORY.TMP

Filesize
1.6MB

MD5
62e7b1f80a7918db008000b8aceb8a49

SHA1
7fca3ddcfbfe06d3668df5f72f42d03a11086616

SHA256
e43987192452106937638d53554cb41d5c4897d5bd7e30f93bc97eb07a44a6e6

SHA512
1d3cfedd8f631e314f1761d071292610835f545a1196a04b2bbd8e0c78da260543cb2c28654e59e0a1cbb581a68aebd7a63d6416b241432c224859836b3e0c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{9B131FA6-33BF-420A-A5EF-D01203A92CE1}\ADDRESSES.TMP

Filesize
3.5MB

MD5
8e6063b7779db68eab2e935b790e4ec2

SHA1
ab39c61c7b987e461509463d4759f315f50e8627

SHA256
7d0743ec1d220a7c48ff4c83bd43af3e80e038d4ad7faa9d910533fdd01f73e9

SHA512
2c7f72189d2178b3c8dac1a841dd18e95dd748d3c8767da4d8bb33f3d8bf20d20667520f0595c2f5bcc1c19e36c3711579919834b636a900b264a75e0db0d1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{9B131FA6-33BF-420A-A5EF-D01203A92CE1}\MEMORY.TMP

Filesize
1.7MB

MD5
c06e450cb6eef88c53c778b993bb7e76

SHA1
ad4540a1af5bd0091795d29c68961f6be012a926

SHA256
dcf7645498e0320d2fc4ad2648b1289614a500efa24c1d553c525b5a72f1d72d

SHA512
01e66d0df2d69549cc17d05026b3e68386c4ebbda0710bce286ae91e62d89dda733b071ec3ea28f2092bfd447159d576cc00b7adc85824bc31bbc485e3cbf089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{ABFFC125-5534-4A73-AEA6-003FBB4F6E9A}\ADDRESSES.TMP

Filesize
3.5MB

MD5
ae11013442685f83d4c861c4567d2684

SHA1
a0b904b82ba6667c85da708e4f8413d5733d8648

SHA256
0f2939217bff1127e06ded1e16a82464c62fc1e1becd605a1fe654110adcfdf0

SHA512
4461a499e09a0f61bceb5924f025e4212af89d26bb64323e2abd7b23209cc8b0acdb019e61ca9ac032f99eebf2ba5c9a31b5915e60b2b8e1daa760683d4fed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{ABFFC125-5534-4A73-AEA6-003FBB4F6E9A}\MEMORY.TMP

Filesize
1.7MB

MD5
542a08741a1c18d3836ebe5125c6f287

SHA1
af37936a4e742a93e7b78473ede0d8b8d8a3360f

SHA256
8a0f93f6f86ebbfba607ec9c33bd1c927897b3b363c5b9c69d65f5f349effa27

SHA512
58fe89d9fd43d599e56c8e9254b3d1d51c3e3c54ca761089cbfc38477269c8e4cdf03cf4452dc3c2d674d8fa44d198d8b846a7e1a2eeac81266dcc806242da37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{B6AFE587-F10E-40D5-8240-DE730D674F21}\MEMORY.TMP

Filesize
1.7MB

MD5
5b9b9f29d33f6100ce9190d7c94de677

SHA1
1628ab108e3b60e94bbe7cba648334c4c5d61986

SHA256
07c297f7400e5e821fd2fa840a4e69ebb288da8e684a22d0aa23cb2be728d260

SHA512
005f7ec0047b23ad203322566fd104f490f5749acbf91aaeea0c6cad94431b7accf1e9acaf3199a1dc85d0437725888f7567f1ea7de111b97037ce401c96aa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5cz14ax.exe

Filesize
1.9MB

MD5
c26b7c90add39d879b1954f9ede7586c

SHA1
15b1dbf7cc4eef693307de3e8343c07b683e2de5

SHA256
7a2e4190ec29bf80e0c1695a82530ea618fe58d4a8c3ec232e5c56170fc545d3

SHA512
f8c2222db3ff567f8212f76a5948a8256a569e41171314555061d30f03ddadbc25d0aa9c1a92ce3ce39cad350276ebd896853df0feccb62553204010a2b6455b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B585U.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GNP5O.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
14e34c5e0e3c320b904b9500e8fa96cf

SHA1
47cf88e6ddc1683135194b9d8b1cc32c78277f5e

SHA256
7398bd01e78df0d69169402f7fecf781c23f61127ba68290d146582ebadbf2ef

SHA512
6d99202dafd3209622e6fa217407bccd0b4157550d873bff36f06a279c499c9e98cb01d235c337d76d86c9e3c369d89712450fe1353eb18b2b7c108abd67ad59

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\WebAdvisor.png

Filesize
33KB

MD5
db6c259cd7b58f2f7a3cca0c38834d0e

SHA1
046fd119fe163298324ddcd47df62fa8abcae169

SHA256
494169cdd9c79eb4668378f770bfa55d4b140f23a682ff424441427dfab0ced2

SHA512
a5e8bb6dc4cae51d4ebbe5454d1b11bc511c69031db64eff089fb2f8f68665f4004f0f215b503f7630a56c995bbe9cf72e8744177e92447901773cc7e2d9fdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\logo.png

Filesize
246KB

MD5
1df360d73bf8108041d31d9875888436

SHA1
c866e8855d62f56a411641ece0552e54cbd0f2fb

SHA256
c1b1d7b4806955fe39a8bc6ce5574ab6ac5b93ad640cecfebe0961360c496d43

SHA512
3991b89927d89effca30cc584d5907998c217cf00ca441f2525ef8627ffff2032d104536f8b6ab79b83f4e32a7aab993f45d3930d5943cbfb5e449c5832abe14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod0.exe

Filesize
44KB

MD5
63f84a1576a15c6b1da118983c59bc55

SHA1
68644b4b3186d3a61a195ad185d02208e371c7a8

SHA256
4339f89f21cd03322db92bac758901eeccf9806eca1a388df70e694534ca5173

SHA512
1055bb557ad7e05bec44490fd9de34554c3df12ce2fe03086b0f6517ea54e15e3fab39b684e476a41ef7a7ac72916d4ceb751b48f2944850cb94e5ff7eda6abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\installer.exe

Filesize
27.5MB

MD5
d2272f3869d5b634f656047968c25ae6

SHA1
453c6ffa6ec3a0a25ae59a1b58a0d18b023edb16

SHA256
d89a2423da3704108861f190e1633d2100ecc30b4c40bd835ce54a6934887bc9

SHA512
41072ef6f382cf6d4d97ebc2a49a50a9bd41b53508a8586fd8d018e86aed135e8ac2cdd16bbf725e4f74f14ecfcf49789d3af8924b6d5dfa6b94dc6bf79a0785

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NDIP9.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\377ffda2\ec659d9a_4da4da01\rsAtom.DLL

Filesize
157KB

MD5
3ae6f007b30db9507cc775122f9fc1d7

SHA1
ada34eebb84a83964e2d484e8b447dca8214e8b7

SHA256
892a7ee985715c474a878f0f27f6832b9782d343533e68ae405cd3f20d303507

SHA512
5dd37e9f2ac9b2e03e0d3fd6861c5a7dcb71af232672083ac869fc7fae34ac1e1344bdfabe21c98b252edd8df641f041c95ea669dc4ebb495bf269d161b63e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\505eb7b8\e12aa29a_4da4da01\rsLogger.DLL

Filesize
179KB

MD5
148dc2ce0edbf59f10ca54ef105354c3

SHA1
153457a9247c98a50d08ca89fad177090249d358

SHA256
efe944c3ae3ad02011e6341aa9c2aab25fb8a17755ea2596058d70f8018122a4

SHA512
10630bd996e9526147b0e01b16279e96a6f1080a95317629ecb61b83f9ebee192c08201873ff5df2de82d977558b2eeb0e4808667083cd0f3bf9f195db4890d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\6ea8fafb\e12aa29a_4da4da01\rsJSON.DLL

Filesize
216KB

MD5
8528610b4650860d253ad1d5854597cb

SHA1
def3dc107616a2fe332cbd2bf5c8ce713e0e76a1

SHA256
727557ec407cadd21aa26353d04e6831a98d1fa52b8d37d48e422d3206f9a9c4

SHA512
dd4ff4b6d8bc37771416ceb8bd2f30d8d3d3f16ef85562e8485a847a356f3644d995942e9b1d3f9854c5b56993d9488e38f5175f3f430e032e4091d97d4d1f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp3377.tmp\tmp\RAVVPN-installer.exe\assembly\dl3\8305b66e\e12aa29a_4da4da01\rsServiceController.DLL

Filesize
173KB

MD5
8e10c436653b3354707e3e1d8f1d3ca0

SHA1
25027e364ff242cf39de1d93fad86967b9fe55d8

SHA256
2e55bb3a9cdef38134455aaa1ef71e69e1355197e2003432e4a86c0331b34e53

SHA512
9bd2a1ae49b2b3c0f47cfefd65499133072d50628fec7da4e86358c34cf45d1fdb436388b2dd2af0094a9b6f7a071fb8453cf291cf64733953412fdf2457d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
341KB

MD5
a09decc59b2c2f715563bb035ee4241e

SHA1
c84f5e2e0f71feef437cf173afeb13fe525a0fea

SHA256
6b8f51508240af3b07a8d0b2dc873cedc3d5d9cb25e57ea1d55626742d1f9149

SHA512
1992c8e1f7e37a58bbf486f76d1320da8e1757d6296c8a7631f35ba2e376de215c65000612364c91508aa3ddf72841f6b823fa60a2b29415a07c74c2e830212b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\RAVEndPointProtection-installer.exe

Filesize
539KB

MD5
41a3c2a1777527a41ddd747072ee3efd

SHA1
44b70207d0883ec1848c3c65c57d8c14fd70e2c3

SHA256
8592bae7b6806e5b30a80892004a7b79f645a16c0f1b85b4b8df809bdb6cf365

SHA512
14df28cc7769cf78b24ab331bd63da896131a2f0fbb29b10199016aef935d376493e937874eb94faf52b06a98e1678a5cf2c2d0d442c31297a9c0996205ed869

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\rsAtom.dll

Filesize
156KB

MD5
9deba7281d8eceefd760874434bd4e91

SHA1
553e6c86efdda04beacee98bcee48a0b0dba6e75

SHA256
02a42d2403f0a61c3a52138c407b41883fa27d9128ecc885cf1d35e4edd6d6b9

SHA512
7a82fbac4ade3a9a29cb877cc716bc8f51b821b533f31f5e0979f0e9aca365b0353e93cc5352a21fbd29df8fc0f9a2025351453032942d580b532ab16acaa306

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\rsJSON.dll

Filesize
218KB

MD5
f8978087767d0006680c2ec43bda6f34

SHA1
755f1357795cb833f0f271c7c87109e719aa4f32

SHA256
221bb12d3f9b2aa40ee21d2d141a8d12e893a8eabc97a04d159aa46aecfa5d3e

SHA512
54f48c6f94659c88d947a366691fbaef3258ed9d63858e64ae007c6f8782f90ede5c9ab423328062c746bc4ba1e8d30887c97015a5e3e52a432a9caa02bb6955

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\rsLogger.dll

Filesize
177KB

MD5
83ad54079827e94479963ba4465a85d7

SHA1
d33efd0f5e59d1ef30c59d74772b4c43162dc6b7

SHA256
ec0a8c14a12fdf8d637408f55e6346da1c64efdd00cc8921f423b1a2c63d3312

SHA512
c294fb8ac2a90c6125f8674ca06593b73b884523737692af3ccaa920851fc283a43c9e2dc928884f97b08fc8974919ec603d1afb5c178acd0c2ebd6746a737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\rsStubLib.dll

Filesize
248KB

MD5
a16602aad0a611d228af718448ed7cbd

SHA1
ddd9b80306860ae0b126d3e834828091c3720ac5

SHA256
a1f4ba5bb347045d36dcaac3a917236b924c0341c7278f261109bf137dcef95a

SHA512
305a3790a231b4c93b8b4e189e18cb6a06d20b424fd6237d32183c91e2a5c1e863096f4d1b30b73ff15c4c60af269c4faaadaf42687101b1b219795abc70f511

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\rsSyncSvc.exe

Filesize
797KB

MD5
ded746a9d2d7b7afcb3abe1a24dd3163

SHA1
a074c9e981491ff566cd45b912e743bd1266c4ae

SHA256
c113072678d5fa03b02d750a5911848ab0e247c4b28cf7b152a858c4b24901b3

SHA512
2c273bf79988df13f9da4019f8071cf3b4480ecd814d3df44b83958f52f49bb668dd2f568293c29ef3545018fea15c9d5902ef88e0ecfebaf60458333fcaa91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\18c69dca\8bed528f_4da4da01\rsAtom.DLL

Filesize
158KB

MD5
e5e1626c36117bc60e810c132b99c249

SHA1
753c35e07b1453a80ce2260d3c37387ab457c91f

SHA256
abddc3de4f7320698394f16406cf59b2cc147f903c5afb8535025ef7ea696000

SHA512
145d37fd59b90da9656ff96a2f50db185efe791eafb67d492e9bae3869271c71e493019c08a2390f4aa251f8611c78fa66bca93a8925e3f8f0fa98f4b5278800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\d18dcd06\44135a8f_4da4da01\rsServiceController.DLL

Filesize
175KB

MD5
3aef2746ab8bf491c50d946f271d8461

SHA1
e89d4c3822f0d2c58bc6114f9e35d99271b2f82a

SHA256
7927338f12e8d1835e97fb342874b26d4f068da95bb582fe0ccfde364e769969

SHA512
6649901243600f82e481408ed95c2471de50c5266cfd42892a526225de0cb0f9469433d8d87d72f33d0d0c8d31f4f245eaa041fdb45f839433f995763c314f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\dl3\f08419fa\44135a8f_4da4da01\rsJSON.DLL

Filesize
220KB

MD5
bd772c48f94ad1012dc608a4b7b55ce1

SHA1
4593870deb85c3ea9d54f1f260e2ab96effb6ee1

SHA256
59733e01120fa4d5cb1e765babf8fefc15d98f7d484cb1902e0d07c4f3c0dcca

SHA512
534b4005c4d7647a42da6489a6c6852d95ef0156d0f76bc76b5c6765e035fa86a46e2ce823962b06b4f74c74623155302974d0dc0cdac7fbfb00fbc3579bc286

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\tmp\RAVEndPointProtection-installer.exe\assembly\tmp\FU3D9MB5\rsLogger.DLL

Filesize
178KB

MD5
3c4180b83cca1278afa4e8f6a3bb0847

SHA1
61988cb6bf9700e517a4344a793025ed175ab9ac

SHA256
4149bd4b31e147776a9b7881b3e40644fc583c4c25e40edc480c996dcb7090c8

SHA512
7a2e8f2664573115c9268726abd90b91bc19664e317a7b5afa001ce3d31b0537c9524066a2dc2fb831e3dd34b8c98f1405699701b3e990dcca175f1bfd40d54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspA86D.tmp\uninstall.ico

Filesize
170KB

MD5
af1c23b1e641e56b3de26f5f643eb7d9

SHA1
6c23deb9b7b0c930533fdbeea0863173d99cf323

SHA256
0d3a05e1b06403f2130a6e827b1982d2af0495cdd42deb180ca0ce4f20db5058

SHA512
0c503ec7e83a5bfd59ec8ccc80f6c54412263afd24835b8b4272a79c440a0c106875b5c3b9a521a937f0615eb4f112d1d6826948ad5fb6fd173c5c51cb7168f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\System.Data.SQLite.dll

Filesize
362KB

MD5
42e6e9081edd7a49c4103292725b68e2

SHA1
62f73c44ee1aba1f7684b684108fe3b0332e6e66

SHA256
788450452b0459c83e13da4dd32f6217bfb53a83bd5f04b539000b61d24fd049

SHA512
99eab89bf6297fda549c0b882c097cd4b59fd0595ff2d0c40d1767f66fa45172ca5b9693dbf650d7103353f1e1fb8e5259bbcde3dfa286dee098533a4a776e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\System.ValueTuple.dll

Filesize
73KB

MD5
29e6ae1a1af7fc943752a097ec59c59c

SHA1
6d5c910c0b9a3e0876e2e2bbbce9b663f9edc436

SHA256
cc9bf1feeab1d76221508d6cc98e8bdc1603d5c600c5ed09c108e31b8bd3a6a2

SHA512
cc6d55e5fd23c89d73ecbddfa92c102f47f8fb93f2f6a41d2e79708e6a8d7c13c1961dcd07810db3135d2f8ddcbf3535fb3ea3d1fc31c617ca9b10f6b867f9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\rsDatabase.dll

Filesize
166KB

MD5
d9cd9c6486fa53d41949420d429c59f4

SHA1
784ac204d01b442eae48d732e2f8c901346bc310

SHA256
c82540979384cdcadf878a2bd5cbe70b79c279182e2896dbdf6999ba88a342c1

SHA512
b37e365b233727b8eb11eb0520091d2ecd631d43a5969eaeb9120ebd9bef68c224e1891dd3bac5ec51feb2aee6bec4b0736f90571b33f4af59e73ddee7d1e2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\rsTime.dll

Filesize
129KB

MD5
f1e592a7636df187e89b2139922c609e

SHA1
301a6e257fefaa69e41c590785222f74fdb344f8

SHA256
13ca35c619e64a912b972eb89433087cb5b44e947b22a392972d99084f214041

SHA512
e5d79a08ea2df8d7df0ad94362fda692a9b91f6eda1e769bc20088ef3c0799aeabf7eb8bd64b4813716962175e6e178b803124dc11cc7c451b6da7f406f38815

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\57031765\203b9ea5_4da4da01\rsLogger.DLL

Filesize
178KB

MD5
dbdd8bcc83aa68150bf39107907349ad

SHA1
6029e3c9964de440555c33776e211508d9138646

SHA256
c43fea57ecd078518639dc2446a857d0c2594e526b5e14ee111a9c95beddf61e

SHA512
508cb9b3834f7da9aa18b4eb48dd931b3526f7419463c1f0c5283b155efbe9c255213ae1074d0dbe2de5b2f89d0dba77f59b729490d47d940b5967969aaf1f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\57f6de59\203b9ea5_4da4da01\rsJSON.DLL

Filesize
216KB

MD5
fc1389953c0615649a6dbd09ebfb5f4f

SHA1
dee3fd5cb018b18b5bdc58c4963d636cfde9b5cc

SHA256
cb817aa3c98f725c01ec58621415df56bb8c699aaed8665929800efb9593fcc0

SHA512
7f5a61dd1f621a539ed99b68da00552e0cda5ad24b61e7dbf223a3697e73e18970e263fda889c08c3c61252c844a49c54c4705e1f3232274cbe787a3dbd34542

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7A44.tmp\tmp\SaferWeb-installer.exe\assembly\dl3\f904884e\203b9ea5_4da4da01\rsServiceController.DLL

Filesize
173KB

MD5
860ced15986dbdc0a45faf99543b32f8

SHA1
060f41386085062592aed9c856278096180208de

SHA256
6113bd5364af85fd4251e6fa416a190a7636ac300618af74876200f21249e58a

SHA512
d84a94673a8aa84f35efb1242e20775f6e099f860a8f1fe53ba8d3aebffd842499c7ac4d0088a4cded14bd45dad8534d824c5282668ca4a151ac28617334a823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
73f1c0c9d4555874847725f4a9e7cf30

SHA1
74ee178ad820452a866eabe465679b3064c8ed25

SHA256
1c17ce943f504c3ec816d2c2e4aea09a9dd22d3552b70d229decb351e0ea984c

SHA512
a6ba3d205c54f22892a426ac370bdb26c4f745953a3c3b3baceb05ccf4ef8af5319667d28a19185ac0c30484c29484f162ab0628314d84254018a2b38358b724

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS\Network\4324e316-551d-4208-90c2-f020fe54d3b4.tmp

Filesize
500B

MD5
44684e3827347a49beb2d8a98e84f9bc

SHA1
b80e247c9fba23a147bf473d36fadca22229381c

SHA256
29c16025d52a2c087f4424b7b14e03088545f40fff4feb2ccf60a55146f7bd90

SHA512
20b0f179f87fb5cf74f76d6da2e345792b07405ae6f12f82b497f57e53b685244dfc56dfd9ae9b24de1484e11a51f7857c664ff3da97f55297f0b596d7bb2df7

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\Network Persistent State

Filesize
300B

MD5
8b421e9400a5f2ef2f8beecc0ce190f3

SHA1
d6b99f92037d673ef91acbc7b40d26dd80797f4d

SHA256
1b631b538a6f59808a87766cd69537dfaea372f24a126d4d7b63e17e1fbc1fd5

SHA512
d813f5f429c7e82cc37bcee1ea89cde56039ab64084ae5339da21d09ef551685fd7ac2f2354568cadaa9fbd4187e21bfa08da962e6b2950de9638056e61d7d98

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.29.2\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.29.2\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.29.2\Network\Network Persistent State

Filesize
300B

MD5
ad45433f4867b8a63f8b6666956e182f

SHA1
4b2262a509b29b331ae2f442e85d7792cc984e8a

SHA256
eda87003bec9b8ed1dc698e21e8ef731fa090b820bb782b88d28f6b66855bf6a

SHA512
811eff6daf309b51ae247897d924ff1970fd40e1382f59e1ce849e623196807cc02f80607b28578c0fa04c8e4b7eb7a1401e36aa0aece83a20859af072361251

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.29.2\d55b572d-48ce-42cd-953e-a0cc4dee8f01.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Network\57b6a6ac-90aa-4578-bfa4-530f91e28e39.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.15.1\Network\Network Persistent State

Filesize
500B

MD5
739f494477d74d624e6b5b279596f07f

SHA1
cc61e9030c47b1d968096bf1b4ac2c0145505176

SHA256
b0302ce7ddb8bc65a51e0f47b3266510606f35478372a9b969d546a6faadcd69

SHA512
a8d2b6404b9006192b622d629863aec91f8c4f84669e4ecdbcd02864068ceebb744faed9de50e77e9037a0c2286858efe55e0e569fdc0da4de014811a67b89e4

Download Submit
C:\Users\Admin\Downloads\CheatEngine75.exe

Filesize
28.5MB

MD5
0fa34a970c3defa54dbc6b725e03b83d

SHA1
44fa4a2d4d3fc9259fb03324eb390def62ff786a

SHA256
93bc218fa7956dc4eb8d19f7fe8c8ebb2e0b60f06ff221bbab6e62b56fc94f6a

SHA512
2ec36599bae79365cfb02edc475ca416b4cd85c9cf349b0cc548e145a10fb22b2fae5ce504e76725e6832028cda3fd6b2bec4adfb7dbf49738e952651a5b7e90

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_330B78668586CC1C5060B7886AA9A046

Filesize
1KB

MD5
9c6ad0f9e90f44ba41e57677b4c1137d

SHA1
76f22f98439931f872a98f9d70dcf234143fd99c

SHA256
0b9bdf2c10c4510f315f0b496e5877ca236b4940e2881e2765274f474e43525a

SHA512
3658eab948b3af982b3e0dbefea31934df6535c2d9535bbe6c7185f2e17decd284c86e19a2695bdb64423daf09a5d7b920b5f8acdf7bf809464d356ec25a9256

Download Submit
\Users\Admin\AppData\Local\Temp\is-KQIVL.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
\Users\Admin\AppData\Local\Temp\nspA86C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/240-1553-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1424-375-0x000001B232CB0000-0x000001B2331D6000-memory.dmp

Filesize
5.1MB

Download
memory/1424-374-0x000001B218260000-0x000001B218268000-memory.dmp

Filesize
32KB

Download
memory/2304-338-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-350-0x0000000004B50000-0x0000000004C90000-memory.dmp

Filesize
1.2MB

Download
memory/3036-357-0x0000000004B50000-0x0000000004C90000-memory.dmp

Filesize
1.2MB

Download
memory/3036-346-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-343-0x0000000004B50000-0x0000000004C90000-memory.dmp

Filesize
1.2MB

Download
memory/3036-358-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-335-0x0000000004B50000-0x0000000004C90000-memory.dmp

Filesize
1.2MB

Download
memory/3036-499-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-362-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3036-1558-0x0000000004B50000-0x0000000004C90000-memory.dmp

Filesize
1.2MB

Download
memory/3036-1629-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3160-4855-0x00000219F0830000-0x00000219F0868000-memory.dmp

Filesize
224KB

Download
memory/3160-4863-0x00000219F08B0000-0x00000219F08E0000-memory.dmp

Filesize
192KB

Download
memory/3160-4113-0x00000219EDC60000-0x00000219EDCA4000-memory.dmp

Filesize
272KB

Download
memory/3160-4916-0x00000219F0910000-0x00000219F093A000-memory.dmp

Filesize
168KB

Download
memory/3160-4936-0x00000219F09F0000-0x00000219F0A1E000-memory.dmp

Filesize
184KB

Download
memory/3160-4431-0x00000219F07E0000-0x00000219F0828000-memory.dmp

Filesize
288KB

Download
memory/3200-265-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3200-336-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3200-268-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3236-3919-0x000001BB62480000-0x000001BB62614000-memory.dmp

Filesize
1.6MB

Download
memory/3236-3917-0x000001BB47CE0000-0x000001BB47D08000-memory.dmp

Filesize
160KB

Download
memory/3236-3921-0x000001BB47CE0000-0x000001BB47D08000-memory.dmp

Filesize
160KB

Download
memory/4088-3705-0x000001E887620000-0x000001E887632000-memory.dmp

Filesize
72KB

Download
memory/4088-3691-0x000001E885940000-0x000001E88596E000-memory.dmp

Filesize
184KB

Download
memory/4088-3692-0x000001E885940000-0x000001E88596E000-memory.dmp

Filesize
184KB

Download
memory/4088-3706-0x000001E887680000-0x000001E8876BE000-memory.dmp

Filesize
248KB

Download
memory/4120-442-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4120-1554-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4668-486-0x000002A64E6A0000-0x000002A64E6CA000-memory.dmp

Filesize
168KB

Download
memory/4668-3634-0x000002A64EBC0000-0x000002A64EBF0000-memory.dmp

Filesize
192KB

Download
memory/4668-2008-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2010-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-495-0x000002A64E820000-0x000002A64E878000-memory.dmp

Filesize
352KB

Download
memory/4668-478-0x000002A635CF0000-0x000002A635D20000-memory.dmp

Filesize
192KB

Download
memory/4668-2006-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2004-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-476-0x000002A635D30000-0x000002A635D70000-memory.dmp

Filesize
256KB

Download
memory/4668-2002-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-473-0x000002A633FC0000-0x000002A634048000-memory.dmp

Filesize
544KB

Download
memory/4668-2001-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-3623-0x000002A64EBF0000-0x000002A64EC2A000-memory.dmp

Filesize
232KB

Download
memory/4668-2018-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-484-0x000002A635E70000-0x000002A635EAA000-memory.dmp

Filesize
232KB

Download
memory/4668-2000-0x000002A64EB50000-0x000002A64EBA6000-memory.dmp

Filesize
344KB

Download
memory/4668-2012-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-3651-0x000002A64EC70000-0x000002A64EC9A000-memory.dmp

Filesize
168KB

Download
memory/4668-3664-0x000002A64ED90000-0x000002A64EDBE000-memory.dmp

Filesize
184KB

Download
memory/4668-2016-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2028-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2026-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2020-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2024-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2014-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4668-2022-0x000002A64EB50000-0x000002A64EBA3000-memory.dmp

Filesize
332KB

Download
memory/4940-337-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4940-285-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5216-4964-0x0000022080380000-0x00000220803AC000-memory.dmp

Filesize
176KB

Download
memory/5216-4965-0x000002209A4B0000-0x000002209A50C000-memory.dmp

Filesize
368KB

Download
memory/5216-4959-0x00000220FFD40000-0x00000220FFD66000-memory.dmp

Filesize
152KB

Download
memory/5372-4960-0x000002860D6A0000-0x000002860D6D8000-memory.dmp

Filesize
224KB

Download
memory/5372-4963-0x000002860F400000-0x000002860F454000-memory.dmp

Filesize
336KB

Download
memory/6228-3729-0x0000026165F80000-0x00000261662E4000-memory.dmp

Filesize
3.4MB

Download
memory/6228-3732-0x0000026165620000-0x0000026165642000-memory.dmp

Filesize
136KB

Download
memory/6228-3728-0x0000026165A50000-0x0000026165F7A000-memory.dmp

Filesize
5.2MB

Download
memory/6228-3730-0x00000261657F0000-0x000002616596A000-memory.dmp

Filesize
1.5MB

Download
memory/6228-3731-0x000002614CCD0000-0x000002614CCEA000-memory.dmp

Filesize
104KB

Download
memory/7132-4094-0x000001ECEA3C0000-0x000001ECEA3CA000-memory.dmp

Filesize
40KB

Download
memory/7132-3952-0x000001ECE9BC0000-0x000001ECE9EB0000-memory.dmp

Filesize
2.9MB

Download
memory/7132-4084-0x000001ECE9A60000-0x000001ECE9ABE000-memory.dmp

Filesize
376KB

Download
memory/7132-4100-0x000001ECEA450000-0x000001ECEA4A0000-memory.dmp

Filesize
320KB

Download
memory/7132-4087-0x000001ECE9AF0000-0x000001ECE9AFA000-memory.dmp

Filesize
40KB

Download
memory/7132-4114-0x000001ECEA640000-0x000001ECEA662000-memory.dmp

Filesize
136KB

Download
memory/7132-4086-0x000001ECE9B80000-0x000001ECE9B96000-memory.dmp

Filesize
88KB

Download
memory/7132-3954-0x000001ECE9680000-0x000001ECE96B8000-memory.dmp

Filesize
224KB

Download
memory/7132-4140-0x000001ECEB9C0000-0x000001ECEB9C8000-memory.dmp

Filesize
32KB

Download
memory/7132-4093-0x000001ECEA3B0000-0x000001ECEA3B8000-memory.dmp

Filesize
32KB

Download
memory/7132-3953-0x000001ECE9610000-0x000001ECE963E000-memory.dmp

Filesize
184KB

Download
memory/7368-3785-0x0000022228290000-0x00000222284EE000-memory.dmp

Filesize
2.4MB

Download
memory/7368-3748-0x0000022227C80000-0x0000022228286000-memory.dmp

Filesize
6.0MB

Download
memory/7368-3734-0x000002220CFE0000-0x000002220D03C000-memory.dmp

Filesize
368KB

Download
memory/7368-3747-0x0000022227430000-0x0000022227462000-memory.dmp

Filesize
200KB

Download
memory/7368-3737-0x000002220CFE0000-0x000002220D03C000-memory.dmp

Filesize
368KB

Download
memory/7368-3736-0x0000022227490000-0x00000222274EA000-memory.dmp

Filesize
360KB

Download
memory/7368-3735-0x000002220ED10000-0x000002220ED38000-memory.dmp

Filesize
160KB

Download
memory/7956-4092-0x0000029E74950000-0x0000029E749B6000-memory.dmp

Filesize
408KB

Download
memory/7956-3793-0x0000029E72E70000-0x0000029E72EA0000-memory.dmp

Filesize
192KB

Download
memory/7956-3794-0x0000029E72F30000-0x0000029E72F68000-memory.dmp

Filesize
224KB

Download
memory/7956-3795-0x0000029E72EA0000-0x0000029E72EC4000-memory.dmp

Filesize
144KB

Download
memory/7956-3916-0x0000029E73CA0000-0x0000029E73F44000-memory.dmp

Filesize
2.6MB

Download
memory/7956-3918-0x0000029E72F70000-0x0000029E72F98000-memory.dmp

Filesize
160KB

Download
memory/7956-3920-0x0000029E739F0000-0x0000029E73A4C000-memory.dmp

Filesize
368KB

Download
memory/7956-3934-0x0000029E73A50000-0x0000029E73AD6000-memory.dmp

Filesize
536KB

Download
memory/7956-3935-0x0000029E72FA0000-0x0000029E72FD2000-memory.dmp

Filesize
200KB

Download
memory/7956-3949-0x0000029E72FE0000-0x0000029E7300A000-memory.dmp

Filesize
168KB

Download
memory/7956-3950-0x0000029E73010000-0x0000029E73036000-memory.dmp

Filesize
152KB

Download
memory/7956-3951-0x0000029E73B10000-0x0000029E73B3C000-memory.dmp

Filesize
176KB

Download
memory/7956-3977-0x0000029E73B70000-0x0000029E73B9E000-memory.dmp

Filesize
184KB

Download
memory/7956-3984-0x0000029E73C00000-0x0000029E73C5E000-memory.dmp

Filesize
376KB

Download
memory/7956-3986-0x0000029E74410000-0x0000029E74775000-memory.dmp

Filesize
3.4MB

Download
memory/7956-3987-0x0000029E73BA0000-0x0000029E73BEF000-memory.dmp

Filesize
316KB

Download
memory/7956-3988-0x0000029E74A10000-0x0000029E74C9C000-memory.dmp

Filesize
2.5MB

Download
memory/7956-3991-0x0000029E747F0000-0x0000029E74854000-memory.dmp

Filesize
400KB

Download
memory/7956-4083-0x0000029E74780000-0x0000029E747BA000-memory.dmp

Filesize
232KB

Download
memory/7956-4085-0x0000029E73B40000-0x0000029E73B65000-memory.dmp

Filesize
148KB

Download
memory/7956-4089-0x0000029E748A0000-0x0000029E748D4000-memory.dmp

Filesize
208KB

Download
memory/7956-4120-0x0000029E749C0000-0x0000029E74A02000-memory.dmp

Filesize
264KB

Download
memory/7956-4928-0x0000029E785A0000-0x0000029E786AA000-memory.dmp

Filesize
1.0MB

Download
memory/7956-4875-0x0000029E76A50000-0x0000029E76B52000-memory.dmp

Filesize
1.0MB

Download
memory/7956-4115-0x0000029E75D90000-0x0000029E7628E000-memory.dmp

Filesize
5.0MB

Download
memory/7956-4702-0x0000029E766C0000-0x0000029E7670E000-memory.dmp

Filesize
312KB

Download
memory/7956-4425-0x0000029E75D40000-0x0000029E75D6C000-memory.dmp

Filesize
176KB

Download
memory/7956-4405-0x0000029E75D10000-0x0000029E75D38000-memory.dmp

Filesize
160KB

Download
memory/7956-4347-0x0000029E76610000-0x0000029E76664000-memory.dmp

Filesize
336KB

Download
memory/7956-4222-0x0000029E75CD0000-0x0000029E75D02000-memory.dmp

Filesize
200KB

Download
memory/7956-4221-0x0000029E76790000-0x0000029E76906000-memory.dmp

Filesize
1.5MB

Download
memory/7956-4210-0x0000029E76590000-0x0000029E76604000-memory.dmp

Filesize
464KB

Download
memory/7956-4206-0x0000029E76510000-0x0000029E76590000-memory.dmp

Filesize
512KB

Download
memory/7956-4190-0x0000029E75C60000-0x0000029E75CC8000-memory.dmp

Filesize
416KB

Download
memory/7956-4189-0x0000029E75BC0000-0x0000029E75BEC000-memory.dmp

Filesize
176KB

Download
memory/7956-4182-0x0000029E747E0000-0x0000029E747E8000-memory.dmp

Filesize
32KB

Download
memory/7956-4181-0x0000029E75AF0000-0x0000029E75B18000-memory.dmp

Filesize
160KB

Download
memory/7956-4174-0x0000029E75AC0000-0x0000029E75AE6000-memory.dmp

Filesize
152KB

Download
memory/7956-4173-0x0000029E747C0000-0x0000029E747C8000-memory.dmp

Filesize
32KB

Download
memory/7956-4172-0x0000029E748E0000-0x0000029E74910000-memory.dmp

Filesize
192KB

Download
memory/7956-4128-0x0000029E76290000-0x0000029E76510000-memory.dmp

Filesize
2.5MB

Download