Malware Analysis Report

2024-10-18 22:05

Sample ID 240616-1qf1wazcnc
Target b560f2513d6e0e4228616bc91e664351_JaffaCakes118
SHA256 0d50bc931f04f543272690f3ad41312ed0bf4cd7dcb1ebb0fa48e3629a97b484
Tags
bootkit discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0d50bc931f04f543272690f3ad41312ed0bf4cd7dcb1ebb0fa48e3629a97b484

Threat Level: Likely malicious

The file b560f2513d6e0e4228616bc91e664351_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence upx

Downloads MZ/PE file

UPX packed file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:51

Reported

2024-06-16 21:53

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1LLDH.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-1LLDH.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1LLDH.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp" /SL5="$4010A,213638,73216,C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
US 8.8.8.8:53 pv.sohu.com udp

Files

memory/1576-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1576-2-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1LLDH.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp

MD5 2b09adc70955ec218148f31cc1eec881
SHA1 24c3e753024a214add140dcad3c36fca713cbf56
SHA256 edb4a838aadcf5e596ca0d10cf401eb049028c19691f74240b713ca8d6a4bc1a
SHA512 a53109a31140387af1d214e665c6d19df7b90fa6ba78ae549cd61ec36a06e497172d967a7b816b19d371dd6d8b9c18454aa1ab3c31a4df875cb1448f0da3af82

\Users\Admin\AppData\Local\Temp\is-I4I9L.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/836-14-0x0000000000400000-0x00000000004C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I4I9L.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-I4I9L.tmp\CommonDll.dll

MD5 3e5947c9ab62f5bf81efd6a17ac0811c
SHA1 c959a3d2fec987b851ecc0025efcac1c9df2cae6
SHA256 78ec700152441266670d7062f12ba99da4933e1134d1e748d74df198f3a427fe
SHA512 bc7e631a16dc5bae5b25b431affab9f8fa7d341e8b2a734e67ffd58939d7e2eb97115f99128367bf841d73c2f9ae8cddf32c37f60fcc94bdd852eef8794a604f

memory/1576-23-0x0000000000400000-0x0000000000419000-memory.dmp

memory/836-24-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/836-27-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1576-29-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 21:51

Reported

2024-06-16 21:53

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
N/A N/A C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe N/A
N/A N/A C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe N/A
N/A N/A C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe N/A
N/A N/A C:\Program Files (x86)\Rising\RSD\popwndexe.exe N/A
N/A N/A C:\Program Files (x86)\Rising\RSD\popwndexe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RSDTRAY = "\"C:\\Program Files (x86)\\Rising\\RSD\\popwndexe.exe\"" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\update.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\dfw.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\update.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\RsAppMgr.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\popwndexe.exe C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVMON\mond.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\rsdk.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\rslang.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\updater.exe C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\comx3.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\updater.exe C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\comx3.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\rsdinfo.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\rsmginfo.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\_RAV\_RAV.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\rslang.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RAV\NetConfig.ini C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\RsTest.ini C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\setup.dat C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\RSD1252\Eng.lag C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\rslang.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\syslay.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\rsdk.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\setup.dat C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File created C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
File opened for modification C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\Title = "ZYRUzFjKl8K88N/Dl5mk2tOPzA==" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\ravmonexe = "ZYRUzFjKLVMaWgAfOxwJTwoW" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monShowName = "ZYRUzFjKDVMaFzwULUQFVApr" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\rstrayexe = "ZYRUzFjKLUEYRQ4IcVcUUno=" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828} C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C} C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}\ProcID = "{CF4A3D2C-5352-123C-3030-303133067200}" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcInfo = "1718574716" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\RAV = "ZYRUzFjKDXM63g==" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\InstallPath = "ZYRUzFjKemI-eCgjHn8ofj1UA2AFRAYfOG4-djk/" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\regtray = "ZYRUzFjKDVMaYz0wBls=" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99} C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcKind = "5" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw\ProcDll = "1750197116" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\ProcKey = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}\monServerName = "ZYRUzFjKDUE-Vhk8MFx0" C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4148 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp
PID 4148 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp
PID 4148 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp
PID 3220 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe
PID 3220 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe
PID 3220 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe
PID 3220 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3220 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3444 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 3668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1852 wrote to memory of 2892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp" /SL5="$E0064,213638,73216,C:\Users\Admin\AppData\Local\Temp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe

"C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://121.43.19.176/YjU2MGYyNTEzZDZlMGU0MjI4NjE2YmM5MWU2NjQzNTFfSmFmZmFDYWtlczExOC5leGU=/40.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe103746f8,0x7ffe10374708,0x7ffe10374718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe

"C:\Program Files (x86)\Rising\RSD\RsMgrSvc.exe"

C:\Program Files (x86)\Rising\RSD\popwndexe.exe

"C:\Program Files (x86)\Rising\RSD\popwndexe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,439741856035469458,6456086071696223192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 int.dpool.sina.com.cn udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 pv.sohu.com udp
GB 43.132.64.26:80 pv.sohu.com tcp
US 8.8.8.8:53 d.img005.com udp
CN 61.155.140.250:80 d.img005.com tcp
US 8.8.8.8:53 26.64.132.43.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 download.suxiazai.com udp
CN 111.48.162.242:80 download.suxiazai.com tcp
US 8.8.8.8:53 242.162.48.111.in-addr.arpa udp
US 8.8.8.8:53 d.92youx.com udp
US 8.8.8.8:53 w.x.baidu.com udp
US 8.8.8.8:53 download.2345.cn udp
CN 120.52.95.247:80 download.2345.cn tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
US 8.8.8.8:53 center.rising.com.cn udp
CN 211.103.159.80:80 center.rising.com.cn tcp
US 8.8.8.8:53 data1.iruixing.com udp
US 8.8.8.8:53 data2.iruixing.com udp
US 8.8.8.8:53 rsup10.rising.com.cn udp
CN 211.103.159.80:80 rsup10.rising.com.cn tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 218.12.76.155:80 download.2345.cn tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
CN 211.103.159.80:80 rsup10.rising.com.cn tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CN 120.52.95.245:80 download.2345.cn tcp
CN 211.103.159.80:80 rsup10.rising.com.cn tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
CN 121.43.19.176:80 tcp
CN 218.12.76.156:80 download.2345.cn tcp
CN 211.103.159.80:80 rsup10.rising.com.cn tcp
US 8.8.8.8:53 p2p.hd.sohu.com udp
US 51.141.184.179:80 p2p.hd.sohu.com tcp
US 8.8.8.8:53 data.vod.itc.cn udp
US 52.156.120.137:443 data.vod.itc.cn tcp
US 8.8.8.8:53 179.184.141.51.in-addr.arpa udp
US 8.8.8.8:53 ocsp.dcocsp.cn udp
GB 79.133.176.219:80 ocsp.dcocsp.cn tcp
US 8.8.8.8:53 137.120.156.52.in-addr.arpa udp
US 8.8.8.8:53 219.176.133.79.in-addr.arpa udp
US 8.8.8.8:53 1008-52-1.vod.tv.itc.cn udp
CN 110.43.93.52:443 1008-52-1.vod.tv.itc.cn tcp
CN 211.103.159.80:80 rsup10.rising.com.cn tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4148-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/4148-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1TCDP.tmp\b560f2513d6e0e4228616bc91e664351_JaffaCakes118.tmp

MD5 2b09adc70955ec218148f31cc1eec881
SHA1 24c3e753024a214add140dcad3c36fca713cbf56
SHA256 edb4a838aadcf5e596ca0d10cf401eb049028c19691f74240b713ca8d6a4bc1a
SHA512 a53109a31140387af1d214e665c6d19df7b90fa6ba78ae549cd61ec36a06e497172d967a7b816b19d371dd6d8b9c18454aa1ab3c31a4df875cb1448f0da3af82

memory/3220-11-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\CommonDll.dll

MD5 3e5947c9ab62f5bf81efd6a17ac0811c
SHA1 c959a3d2fec987b851ecc0025efcac1c9df2cae6
SHA256 78ec700152441266670d7062f12ba99da4933e1134d1e748d74df198f3a427fe
SHA512 bc7e631a16dc5bae5b25b431affab9f8fa7d341e8b2a734e67ffd58939d7e2eb97115f99128367bf841d73c2f9ae8cddf32c37f60fcc94bdd852eef8794a604f

memory/4148-24-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3220-25-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/3220-30-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S2OSC.tmp\install1078565.exe

MD5 63ba39f98e28fad9bef7cd57672fc028
SHA1 ab5059718c8483f91e543eb9206746318bc8d006
SHA256 8491c297a332fb2085322e8f06d9ca5ff4fa0d0c0e5ea0bccf1cb5abeab8a122
SHA512 c7b22fba53d252e47966ffe1f5d26129f23ad555366ef6a9e8573eb66b71ff0bc5d93a28563ba9ff589e7f88fb73a3259ed704af62e1ac3d30d198238379f5c2

memory/3220-42-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1904-45-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/1904-58-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/1904-43-0x0000000000400000-0x00000000005EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\Auto.ini

MD5 7696eda9678e733f0fdd18e7ceb96aaf
SHA1 67c5df7cef7c3b70a49c7f561ec1196ce173c4ae
SHA256 5e4d070ad0f5eb916cba822f3e0839589b7e785ee6f07231fcb061718fa7d14b
SHA512 9ea6db4d9fbea9b3387c866e4750744e0e1df00023285e4fbc32a558a694aa8884cb1d4c9cc9da4a18686cc89fc059c1040b55c94246a56973741ba0067ec684

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\CompsVer.inf

MD5 3b985e494611377a281d3aef40560fc5
SHA1 cdb4f4d8f756da94f1cf9e9176ac684e7fb84230
SHA256 b9b2a753857f18a1e77376cca7a8191292512ffab6aedb21559be06ea7c3f375
SHA512 91c97f61918d90a1cd10063e7dae60deae53446b9ddd1767d9ce24d0c01fd78818656c35a74c3e8482abbf35d345556e2b611aac1305d66c1727416d37470db3

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RSD1252\Eng.lag

MD5 20130a3d9adbfe3acf35534876b27817
SHA1 fb38a0bbfcf8fa687e8f1c3b85d756b687d7ff70
SHA256 031c4d5d673b5686b54b2f9dabe29fa3466bc42824792aa31fa1fba8bfb55a6d
SHA512 0dba52e492aeec19a37c79de4680f66684de169fa6c93d9007c542e2215b36530687fd53490dc9b486f0cdc51925bb2487d0bac7b5b217578fd36e5c25499d4e

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rslang.dll

MD5 af1b1fca64556fab4ce9c09e1dac4b96
SHA1 c4c6c9ab878bc779ddfcf45c6175bcc67a20f8ce
SHA256 6340dbb7152c32a54e55a12c054d06e6e98add697a2e5be5929806fec306b643
SHA512 2feb1881bedc73b4e69bec79889fb03940b9165a62083f729682803e85e547fe848451f5cc94779f1746eba19cbc2bf26e5d60c7876b491d28bed5b4f1601945

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RsAppMgr.dll

MD5 1f35136daa23c794a9561b46db35d5a5
SHA1 c70934be177b81bcc8f5d0e925a9c4b16cf2778e
SHA256 1a5b02c7eb208459cba7795c286c4df00de1eee2fa5f5ad9caebdf385f568851
SHA512 ec6bd64f525687c8ec772770c2e754dbb64b64f2b11c40a4799a641df2c0faee63c4cc7df3e1a935ce2496c68003297c3e66371c47fd285206dba27e396a7d6d

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\CfgDll.dll

MD5 4bf3b0c552a575f4a0d09bf74e4083dd
SHA1 1d995c98685471e7b7df3ac1df5426b7c8a4a1de
SHA256 539b021a0c3d445c9d2f054e0a33d0e8497893c321732c3f2a41d912384fde90
SHA512 15021142825e15efbee778df625bcbaae9587d1e41b23ac142b2b82c2c2b6592d61635f3a35ed10c8615ef29acdd44a8a3d52949202dc90a2058fc9666a30317

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\license\12345678.000.bak

MD5 e6fff663de872bb4e1407cd2b173a3b0
SHA1 8164ee4a2742672664030d5d7a22cb72df5652f5
SHA256 f2ef7f00b1a0043c7ee4985a9cba04aeafe748a928e371d8a290ed54af20a078
SHA512 a13b07f955607e525652f185673398ac653a8caff48a7337629cda7f095f85c3054be746ac70bb72e3ece735132de3ef3c3fdfe6fd3cbece1176824ad1874146

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravbase\RavSetup.dll

MD5 844b13a33adcc21e08e66d93f5606067
SHA1 6216dcb8866083f07aefc677bf3580a2017d381e
SHA256 4ed07f391753f1c285f1f54d894e23acb897acc9703b4e57c5b4d159ff60e6b6
SHA512 8a8bb03a7461b7989dbe392cd98931d3f4eaf847cc634093d3c6b8d159f6dbb0be994b15badd462a89035c7ee46eb48111a5b4ca1b7dcbf054aeef38158f9253

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\syslay.dll

MD5 6a2ad6ba7dece95286bc5eef92c62b28
SHA1 61148917a206bf38c5f110eff5c9382ab940ff80
SHA256 bf46b98b27b82a666c2f22fc66c569f3566f33a638c9f5929d25cf071a5024bf
SHA512 81c6b8f7ce8a758255203eb0603ef5de8e4ffd1db290199c17b821a3731cf055cd007afa343fda44d6a43b21a4c8190abee83abe20e4677991541f68baeb22d0

memory/1904-456-0x0000000000400000-0x00000000005EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\comx3.dll

MD5 92aa0e6a0be8766a98a74f05d202d4c3
SHA1 ea14ee946d61b014c2d0e463c454387d7f2fe527
SHA256 152ce57d1b6fbc784373f770a4dbe9812f6b1abeec549276e9f9747719d439f3
SHA512 d7cc56b0d521859c50c80bc403f3cdf987252f28b6f7928302f83b9e7923c1dd3c3f4b12aa31b8cf9e9ff296ce213cd5c6f1500bf69c1adc1b07c38b66a06d3b

memory/1904-446-0x0000000002AF0000-0x0000000002B1E000-memory.dmp

memory/1904-452-0x0000000002B20000-0x0000000002B39000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b704c9ca0493bd4548ac9c69dc4a4f27
SHA1 a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA256 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA512 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

memory/1904-383-0x0000000002AF0000-0x0000000002B34000-memory.dmp

\??\pipe\LOCAL\crashpad_1852_DNMJSZENOTLTWENL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 477462b6ad8eaaf8d38f5e3a4daf17b0
SHA1 86174e670c44767c08a39cc2a53c09c318326201
SHA256 e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512 a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rscomm\Proccomm.dll

MD5 7ae91c40093e829a971616b1e2f9113e
SHA1 a6b4e970be9e2821bcc7ec8c1e77304a15f58e3e
SHA256 608cba4e01124a099758295103ba0e5f8d2665874d78b9e3aeb45f7d6c7c2264
SHA512 242b1f46c6367f2b318460aafdc400340e01047ca5f6256e3f53977dc44c8d74f97d085551b39937e2e8b9848cf4fb409c7387fb20da6a5fed2cccebb70065ea

memory/1904-479-0x0000000002DB0000-0x0000000002DDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\install1078565.exe.log

MD5 50819ed3ecce9cb3fef30ba1096740f4
SHA1 c7dc134740af689a64f3aa3e2a69655d2df86131
SHA256 b0ec8dc09074e843bd71fcc085e5df56d7d583ac83dede4a6824dc04b204ec88
SHA512 9c129ea6797fc5967c9f2526d75a5b9f0d837d17c3c42f3909d0cc8ebc6c40bc28dd3f508feb47d267743dbce0fd299ea02eab794ef5965331172e4b74b72cb0

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll

MD5 d5a4de2ba24c733642355d25357fa4b6
SHA1 74df3cf87698a94ebcb9d28f700c7c6c111e5566
SHA256 cd30026412d94a43942ae5d443a104730a2e1a37d35faaf8cc24f21c7c300e91
SHA512 bd9d2431b2f0d3c1a869be92336197e5b0a28b5109842ab30eb426eac395150a24a6753ba5f014751284fac69fa30f5becba66d5c5ab6af7b0bd299650c29444

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\install1078565.exe.log

MD5 03c2cfe6b1321f9cb5938870c732e5d0
SHA1 ee981ed384d4cf7e91650d95a49fa9d1378e88cd
SHA256 39c3605b48c5487b7c9b1ad69f1717fc7845b8e788268ff1bdcdd23154b19343
SHA512 61009712044a2471259d78aad45f5f179df76627a5b6e95b9e0a04f0461f11f4c11d0045a268e9f1eded6a38119e0df3071729dfff9549a803054d6be45bbdc0

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravmaindui\rsmain.dll

MD5 4f4500ee19410043cc338668d28f95a3
SHA1 139aa70bff3696dcff575836ac8bb4b8e7bf9334
SHA256 59caf0e3820af2e5d1e6652654c996ebb0857b79808d589d10ecd7fbbcf0df7b
SHA512 63cdee1ec89772479a45e9492f706e07daee07c56728bdf8d7b238b239b0efc087a2c07fa4488c349fb694ef2b9b298acfca6b488d17250868bec90ad7920a1d

memory/1904-516-0x0000000003500000-0x0000000003518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravconfig\mergexml.dll

MD5 e28dd24338cae534a54a14d33020cbe9
SHA1 1a21a926187d70eb7f8c431d9196b12f389b20f9
SHA256 8e42df39dc1d92ccf1a503d8a79b6644106025f644f46c6ce5dd56f1658655f0
SHA512 f6072aa3637097731bda74b8aaa3aed3c7c26702b40693334c1c80a4d3cc027ea56c0e55521fe1df0fda8e025d301343a5a2325d1497cd129114b17b3cb4c3d2

memory/1904-507-0x0000000003500000-0x000000000351D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\monbasedui\rssrv.dll

MD5 00a45353f419bc4891645f1ad0150617
SHA1 65b8410c9ac395a6ca5e027a237648064bf863b3
SHA256 841b67ba124509ba01deb142a1af2d1e808e6973c41003e61a6922ac011d3043
SHA512 6b7eeb4b8abd91b9577c476df09da28a8abc16cdda39c5c8eed0fe79667c19ff430f54984789f70958170fe3fbd59a6da6a8570d0f56a6f5f9b5e9118984aa9e

memory/1904-501-0x0000000003990000-0x00000000039AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.dll

MD5 02342ba3a87b3974d612c15275c29446
SHA1 f2947aed0589572c37db724a0d50388d94aab187
SHA256 da9b1bb57116956645f2cae794b042831cb28615a5ca78c07583e64ff84dc799
SHA512 c5ff91306acb0fdd92fc4dc091dd560d15a3268cbfbb8c5fd65144feee5b57b4af851d3028d6e3b841d2f644b5563a2cb9152f36a59736241e0b1b60cd43dde5

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravdefdb\mondef.dll

MD5 62de362c75022744c5149e03d1191fff
SHA1 70b31802ac38d69e5189a65f76a371a722409753
SHA256 c5dbb1ef41851b44b272bf5280226353e285feaa254f21b941cb2f49811cd994
SHA512 0eb1f953a21a68e55d71d268018db49a91705297a42dd25a6ef860c2d86b793b651718562cfbd77491a6ffa6dd498dce4b4aff46667b515bceea27df9fd74dfb

memory/1904-536-0x0000000003500000-0x0000000003581000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c33fdc2cf96b75676a199c4bdf1c47aa
SHA1 0d2168af8a313a30d098d22157b694c215c8c169
SHA256 531e432ab1165649c69621faa6e2e52be1f174102c3f763d2cf7b22bb4546cdb
SHA512 93753d789d8a253b7935792a6a37fedecdb4cf9209f2877bf7be0fd5cef8089ee152cb78e5edac1b666d5da590722359ccc668e9d269d8da7c2c12cdce3ebb19

memory/1904-494-0x0000000003990000-0x00000000039B4000-memory.dmp

memory/1904-524-0x0000000003500000-0x0000000003577000-memory.dmp

C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\os.xml

MD5 e8cefadc14e81fdf88b43b316f301de5
SHA1 b7f6e875409597b8d6abf54682424312a7777d6e
SHA256 ab6a7e96cf835aa4a2a99480832cca0c9b739c0a6df018798bfad8e4a9fdd27b
SHA512 5d95caed222b1eb49ae41a77dac0f088ad91b5378d7d0013adec594e1f0ff44c0f3c68db82e3696bc2f0aab3384bea6772fcbc9958b53831566f9ed85678ae62

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\Setup.exe

MD5 6e2517fd1ced9878e60075e1e696b408
SHA1 e1b55dce2b9261b47914c1c01762ff40df824ef1
SHA256 60231e56cd80715b506f8a53bdc504572db392b7ac000532a97e8e20c1ca0803
SHA512 69f70201e623706a8dbb1731bd9d930d1da9cd9caef676f0e675ddce93d78a29dcdb6b6f389e47e1b8840289ec9f1ef2233db8ce83f9670e452dc0d1f405d80b

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\updater.exe

MD5 66e3df00feb94c09d687a6d544c1e909
SHA1 65b97e879d4b0686be6522f0ac14b9404bcb2448
SHA256 6da83a2308bd49d280b8e343f67da16daf9a163da3c574c5cf24df0cb4da99e7
SHA512 99a8082f01625f692b82379cd1034fcbd5d989e35b60eb7895928d194e9330e840023523653b5b67d041490de957c7aed9d7839bd72f41f8a0c3e69f21570b2e

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RsStub.exe

MD5 7a762be1d46bb1ed07eacec047cbd1cc
SHA1 46494455d908d2fecd26d12d60b48510c8915431
SHA256 6bf8b140a8e451227050acd5a2b586ad1b2e4da27c32ae1bb9fb64e2b58d8b29
SHA512 0f8f55843747220fa0b69e3b4417bb87c5149b5bff4f4a4ee867e26c5e6a5bc59c4d396515bf0a564967304f94e8d32b8c0e999951ff02313d0a763d58950c98

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RsMgrSvc.exe

MD5 f9e7dc9ecf924163a06eed9944f74f56
SHA1 4a737741979f80069d0e066f858b79ee3afa61cb
SHA256 6bb255abe347cf8ecff72c5b25822bbcad63a3e0f4a5b9b8feb5be1dc54b1a91
SHA512 d903700450a2cd7165dda4b80d0340186093bf910947506e6409d1ef7fe0cf23d38f2906dddeae5671f5891517f06e0544eb0a95f69dfe82bfee13e73d610fda

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RsBackup.exe

MD5 787524b75ce2e55ed671a5cd596d2b36
SHA1 fbfc4ac0a6cab35b172d3c37185fbc647fcfa2f4
SHA256 6a242951c6ffa802d6d302f96c58c015d6543a034cf2bfe9d98fcee0a57b3b35
SHA512 460c08c2035bddffa8344782bda00be1eecd78ef41926554baa59a22578326c27f1c99a83dca820993512347a87a636052cea7f4bbe50af680fc0d392c2169ec

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\setup.dat

MD5 783749a918b23b8a581b48284d18a3a2
SHA1 1a598f9bda2d79dd0230f2650826888501b0c593
SHA256 ebc9f8c12ec94c070209cc5d31ac985b94c29d7caff4098b807cc21575cfbad4
SHA512 ef69fcf3556e50e07a16d78e5f27518c7440dbdd4183e13ac1573bac44bccbae4726662883e345d6d9b5f3bf7552f2522bc0c6e28c150708ec76938a5964de6f

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\update.xml

MD5 0f99e8eb5041ad830c3ffcfbd4e78558
SHA1 4be4cf05dbafe701a8efd3417408491244fcaee2
SHA256 1bb0ea03709e98b947f34e46e3a72578cc2bdacdcac45a9a7a8bdbfbd4e8bb33
SHA512 1b1b485476472d3408d2b3d4aed9fb4e97d43998314d8ce7e6775234200ee4c9f694b6ec790866e41dcb6294f9ab6818bc3c3c428d7a8aa7e2bcf35bcf539f63

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RSD950\CHT.lag

MD5 afef6166dfcbfeaa59cd52fbc9ce8c1d
SHA1 dbfe1bc525a0575a231d75c87c4b8df64a831788
SHA256 5a92f893aa544b536fa4d46d2b37740cdd0f868459b16c8a3174e76a25dc69fc
SHA512 6b86ef17a880c89577dab0abfd7be75b31c549ffab1b3e272945f58935b80e9ac8adb7f54866c4e6e616e3aee879924d292a2f370206e018be0775e9819283db

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\localopt.dll

MD5 7864be756f44fca55c58601b765d963f
SHA1 4a17e07a5974af24723cf078d8cfd19466499553
SHA256 5c325bbce4c761888b2c41e41a3ffc4531ec982c016a2f90cb516b2177e452a1
SHA512 da0a72e635b07ea8a06e722e1fefcb5ba704fee89af0fe5e03febbd2d8202897d71e481d57c2f4c16208d184fd0d10f3d022e7c7275681547d36922126dd07d4

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RstoreDll.dll

MD5 8353f3fdd33da4187b4411a51122174d
SHA1 d2f1fcc6a031339b12ec4d961fe1fc2c30d91220
SHA256 ecd5e9bde7222ad76925d12d45d049b2139514fc902f1882052d03dc886b00c3
SHA512 1dc873ae7cd2b244bd5cd1c505e2c01aac6c55aafd82a86faa5da431a2050b6439e9292507a349aa928b6f3ac2634d0bd8d1eb605a65fd92ca54f083de01850c

C:\Program Files (x86)\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml

MD5 8e8ec0745770e5d2044bab0394af573b
SHA1 48ad272c53436309d94d0b3a3580749f822da8c4
SHA256 aa00fe1e0b0a85ad1567c8c7f7b47abc085022dc08fd45b558e212daa249580d
SHA512 5ef12220c6dd303cab2aef89ebd4cbc2751fd3aa1ed2d20f23dc697cd82792ec8f49cf7caf9e62032c9af2d2ba4fc0efff94d3f0b366b65df5aabb47ad0e78a1

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ui\snin.htm

MD5 c425df2cc54e926ac47125c1ad995516
SHA1 5232b8c627283acd796cbee7b7ef4cef54ccfa66
SHA256 7c7e375bee5906b7d7cdf083e4627661a4e45aca79865f8cf0df8c02c68882c0
SHA512 b3c3859bd5ab478047579ff8e8facac80a8810cdfcb49e53aaeef1d5013720472d60a601bf0742c30c03e850947a483448b1e1ea692102562627b8625fb88a23

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rsdk.dll

MD5 9dd8dfd3e7359021dcfa5e91537bafab
SHA1 07978c741136bdcdfaf06184752f499545cb48f4
SHA256 a721df54f839bb0e51d581f3678e60bf9b65f5da5d3ac282457059a43bf93f0a
SHA512 31e7ac7980315c73d41e9dddc0e67e9b7d55f1980ce8161876ed9a63c7eb77a4dc5b2bb2bd25dcaf4615f97d9b9f61d3882f52ef98b9136a99276b25c192b835

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rsmginfo.dll

MD5 0353146a43705ff783ee2a6109f232df
SHA1 7599b8b47ee7973fd2fab1d4c760ef92d9dc160f
SHA256 9672251d7f08a0a2247bb5592b01eeece7496b384a12b8d8ede4f9c6639f68f8
SHA512 0723d38669fbb0ce6b126cf6f818c5f3db0834103c6e81fac802be0f9b7b24f65360364f2c7734389811172eb2fe7560f011a06a37a7bbe0af6f743274cfebcd

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\popwndexe.exe

MD5 9fc8d62cd7e5c9db50b515c26b968e00
SHA1 db51599827dcaaededa2fb4cf16b7853f30f5f84
SHA256 3b2ac4bf98d9812a969aaaa02ff292105ed81c8794ffd84788ba9acc1808d989
SHA512 244ccb61af416b03d9e383a98dd0da2f8ae428a0497af6b9a90dd2da223c710546b8df59236bb17d8ad06343331f2331f4f3d2b359243cd493d00a21b98c4847

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RSD932\Jpn.lag

MD5 b6c7bbabb02975ad2b4578bfd0cbc890
SHA1 a158b2cc22adc0b094db743eb4780fa38457f5bb
SHA256 30fda5e177f480c551166c0bc00ff3ee78bdf41f136040f8864bf714b1651f0b
SHA512 967cf79bac9632b296dc2a1579a18629efafdd311ed1cf088afeca97d14987435781c921a3041410e785efd709bf869ab39afdd86e0c8b832e27110095ee4037

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\RSD936\CHS.lag

MD5 ff0385e51b16cba3a028e33c70334100
SHA1 29ebea732d7f0645f07d2acb5b50b58089235b37
SHA256 1b42e46c71ba5c3237d3c430fe6e32940d535e0efb71fb287f2c473698cf7f0c
SHA512 b21981b3f4871c954aae1edc352de9a67ba9d054974e43fd906750db36c5596dd69fb39dbf8ab29c75cc94115d8c9befbeabab6e2c7403a00bffdd4e9db2468f

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rsdinfo.dll

MD5 72aec55622cac794f6525a6f9411ed3f
SHA1 e7319b75f55acf2cee7edb6f0d27eee27789f6e8
SHA256 3318bed0d41e7b39f1308ce1f5a41f52d9ff2cbda0fdeabe5c1f3aa6f29692f4
SHA512 cf98f6876873a17a0b3436e8557b2dc683d8ec85ed4bcfaa7a9295d2ea7d1c1e09d092adefbd331434347db4e02581edf51cd11f87e42860c9fbc1be7e71d4df

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\protreg.sys

MD5 1a16b46fae0e4443927fabc89432f708
SHA1 0a317b000627d149e221f2cce7c21b3acb2d33f1
SHA256 5d2bdd64e335a9d1f4ef15aaa00d7ab342331a4674425d3d32ecdf5995e4962a
SHA512 0fa86d1fe95dfc5efad5682fca5d729049334bafa32660fbd2b3ee6b9edf31572b20c2f434180c67a9ecf5b1505e7d738edce873972c0e3ef56b09c6bea59a35

memory/3364-758-0x0000000000C60000-0x0000000000C79000-memory.dmp

C:\Program Files (x86)\Rising\RSD\RsMgrSvc.ini

MD5 5bbe56a9322ce34371945380a3bae9a0
SHA1 881f54234e34bdd08e987fb1628d6fe17afeea0b
SHA256 0a19332fa5041f4999b51f4a46bbffb5d07f09b920cb837e3c78b595ff5ce20f
SHA512 847b043bb4748c2e5317138f7216d7a3cbe7ddb01ea2f81cbfa575b606936a6e069d911141686e08f770e40db0f9388f38f8472b51901d1e1cbf562114df27a5

C:\Program Files (x86)\Rising\RSD\data\RAV\RAV.ini

MD5 059d3164b4e40d70566b8ceee9091010
SHA1 7057ff71132433d86f964f0a043f818a1d7b230e
SHA256 3d72550ed3ef9e4273035417ffba85fed8527e027c59a48042d5ed9ff872ad0e
SHA512 5ee224ec5446bdee96d3fc86f68f3a484c62c52f401f79fb03fcc3dbebe9863ede4f2449a1eeb90a7ef866bf07c0c4d6b9c259a40e995f5b5f5cae147f52112b

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rsmondef\rsmondef.xml

MD5 1507e6f9e24cbce29bbfc3912d07cba1
SHA1 88f0290317ae913b91f45b6ee51eed3f8297ac3e
SHA256 f923c8846605151699ec2c86936dbdfa1e80132470ae5e018d39c13d49945499
SHA512 12a8ae807b76844eee006021caa17acaf28be2316bddc9a9964801381e5966b9b5fcd30228933183d7590e30e22443f84d11e9109dca463bad568e8eec57bedd

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll

MD5 da73284eed74d2a443c08559e3ed6e0e
SHA1 2d4e8231f78ed6f16b6245fcd7538fd8abbeb7d1
SHA256 f1594c01c71b00a8e0776d8c81125e533caf36bc4dee28a5d2ea1ce2b169b22b
SHA512 864da859aee385fa23aa67167d611a0d63412b1bf0d0cca4ff6a1233256ddb3f1341cdcecd97c9538f18f2c6b701dff9fbbdd38b918a38db9faf95f7b26c1eda

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat

MD5 d52d2a728c417b2d97931f6b5805d1e1
SHA1 45781f9ab4981631675065e4abda10bfbdd8d735
SHA256 058c7e7883ff0d0e50800185a34254b02318c22163d0b9ab662ac0a536399334
SHA512 3c6a18292478b2868d2d138dbb7a47cf70952695205272eaf4a0d9c121265323d13d67094508d55bb83993268dbbdc2080a839f3df16955f19324c7ff38324ce

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll

MD5 dad3c0290a40f4efdab971fc0d316e35
SHA1 013bc3e5903143b7b87a30484682f31a1925c8ec
SHA256 28baa3b7d66b340486582fdd20ea9129e33a54a7bde242f6ed883431480ad6a8
SHA512 f982bd117832fcfc23f789492bb4135844c85f54a4104a1d0b67ba04e436599a24ad26518101980ae95005f76df5fe23d107bee5fc37ef7c317544ed6134f793

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll

MD5 4fd2a695c22336cf6f802d697d0f6f6c
SHA1 4cc5524e33bf46fee8b01f2a49a657956d0e54db
SHA256 88880f4d4e330102dac831dee0af37ac6b7aa3867726e3b267cf54fa7f3f9f73
SHA512 132924e1f84a9f0b9117884ec9935f5f426e786b604a55a2f466a5854815a82bfc9bf6cd38e0d4046972785f98da1a788459e8f6e40848cc772b786c3ba8513a

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond

MD5 d13955c2242cf65aca4e3b4c177a5a05
SHA1 c8b061a344a65b45856b3f2884f6011d68c4db7c
SHA256 bb5a8a973f533107dfa1827b4b11822c7199dd10372a6c1f59d77fba1ed0da9d
SHA512 800810d8af5294bfd2fd737261e302e694e224a38c0fc32d0e3ff6fee5c380017df82f47587ed7e18a7c36559ec9edf2cbd71dbe9ce5a3999113df69fdc70e87

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond

MD5 0bec28a31b68d6e9dfb9b4f5d05c3584
SHA1 b3be6b897ce59037cc240ed7005c16df1f594f05
SHA256 7518e49b61621e66be434f1033f5309bfb781b86ed19392d959950c4c3045a3c
SHA512 b2e0f143dd17f70c12e1864eb62c55759843c49b78326ef983c9345864fb3bc1bce7890b12f926a61ae4dd04fbb924ebbf2f8514fb5c53a490df11cf781347bb

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll

MD5 21e45757451e136934cd235b8bcfb27d
SHA1 e7045f23f7d39760e3f0efc7565eabd33c33589b
SHA256 44eb17e748bc6ae1d5bd2b6f32871f95338d397091dcafe7068c959b3c27066f
SHA512 639d4530bade7eba33ff3e7f37f04aeed468421ac63f14c7f70c81b79453fd9bedb7feb023bf9ab2337bc399abe3346041e6cecfffb69978edfcbf785288f8cb

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll

MD5 3f46d49ad83708726ab33da67a08cea2
SHA1 caa155299ebcefd38d51a514c73f4c2f3d2f4d8d
SHA256 295eaa0452d86e4738bcef8c595691f7ac52ac66a00fdc94fe27029385d3a4b4
SHA512 3ae12d9d6f0f30eace326c47788e6cb440d4d93918578a1beb14e76335296d707461eb316a64ee2ddd7891902203d2f8644fc4acb598b644ea57adf3123de6bf

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll

MD5 9f58e7b916defbd2f20633bb5e120def
SHA1 69468d33bb63077b23ebcbc27e5deb78eb41024d
SHA256 156b34b31b428e4fe23ed7c9dfa573ca8f658a9637cb0e494b23d32051ea4793
SHA512 82c2a1afa4cc9c674d0453c4edfe50d8067f6700c0ed59649a6be9581b555fe4a55d11f2d4019fb328046375103231b7898c165209eef0df6af46a7eb23f3336

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml

MD5 cd5f6738b635c1d43ade5c2b4370e346
SHA1 e8c83dd84396cf31cd84cae993ebf3bdeea45d19
SHA256 c4d857ccab4ad072a8eda35aef847e65ecd9f2aa6dd53ae847669758065d577a
SHA512 9a40693bd02ebdc3ce46a8491705a79bd3c6696fbd2a4fb82e9f3ca13117eef8fdd7a72e51ea0d8b484d0f53beabdcc08e96d9cee567c2ae4f55d85049d242a2

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat

MD5 4c2795e1d361ac37200617f44883418d
SHA1 42d1f7ee694c5a5d8d0291046b4a129774db34da
SHA256 a8c038669851342d6787d892eb1bf84d8cc975da72adaa6f8c373aee89d657cf
SHA512 825621362674388fb2928515837549c0050468e4cb710cef9113d069dfd16324cccefeb48c8652c6211206fcd8dc72029ede74ef84f7c9b2b3ce1d42ff2ceb8c

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat

MD5 348cdceb2d7a9d7f4c58de7a62d21123
SHA1 a188921c0f0544e97df29cbdd51f3994e48413af
SHA256 2fc1f5b0271b329ca97ec090583fd9e94f5d86e918a41d91a383898e829b98df
SHA512 61a5679828a9a115f15230b14594d052e36779c9194c3791cc4950ab40c78b6e99bd54030feb62f26de4c504032cf272f2527bee8b4c5081f5640f23951b13eb

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1

MD5 334a74546208bbcf41a0be9d3a91ee08
SHA1 b64a402d60a902c39ea9030937b79f58a06f79a6
SHA256 7a9f749547968bb79ad8d449f9fc5ebe9022d714146d6951c5a4b2cacabe1ac9
SHA512 373dd267ebd1112794e3dc46350f2dddc97065302bd118e99fa4eae04652f45c3a4d801eac1649c91cbb8323b32ce9577eadfb1b906087be0d83bb2907236435

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1

MD5 1627d9e99f9a8c37f7d8d7a64d357fa9
SHA1 6ef2aab1ed4f110b0ad56c1fc4339c3bf51f3409
SHA256 1155ada913525eaca95bd53e2414c78171e0771db5e03fa4c6979d3352d2e35f
SHA512 fddbcef288a92faea273f400431df37e6355d611f755769f7fb02239e2af8fbd53d0da4c5ee56456efbc0d024eb6acd4283337fbcef8763ea6ddb4ade30c6059

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\cloudv3\cloudv3.xml

MD5 e504c74715c813946a2239fcea4360c3
SHA1 6ff01815df6bf6c708c75eebf33f77bceb1c2d90
SHA256 f4c4032a7405c3c33d30ed3245b0e252c6ae883282a0da74248cb881d4fa07a8
SHA512 8194f66fc144dddbdd1b298987814c7e90a69e294d145d4d73aac754620470a7a7feb8a4876b3af469e741b5b255d49a97c1faa89b9fca70ac13138839f213da

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db

MD5 1b0fef4f03fe758fe4881884c042f451
SHA1 5bd093bb0ed3bc24f36f5e6830139cce0d8fc978
SHA256 ee6864601416125287fcfd2e21f32ebc7633a92621115c5fe1c42e748e69d052
SHA512 1e011095d91a4dfa90df7e0aed6f617e2bd32a8d4bc25dbbfd5319593b089e2c545571d7ab879f722bed5fff5c3e763b2d268de6b10e02a4c2a112752eaf6b86

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray

MD5 79e881f506b9e1342ef1a79be97127b6
SHA1 65c3fa960a5f2028124ef0b7c29b39b75e968a47
SHA256 fd0621fb7c7d16ea358aa35e7bc328151a474f9e161cb451b0c2bd3c0cb6a5a0
SHA512 a4784752bf797d5cb3f691059e01fcc68799a69e82ed9c89b4c660c993d9212fbf8232bbb132ef317e3e4484708d667d3f11cf0b7f9624b8831749ce4bef8d3f

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond

MD5 3ee27f3d56064e5edfd36eb1724a3a24
SHA1 978f943bee2804475d8c96c37ffe80b0cdb79bca
SHA256 29077ce4d0722824342be77bbf357d00d40b9d9e19c8bf90e1657ecfc3f8e163
SHA512 a1c915b3416db0d23d0a14737517ada639d3ff21caf44853711fcbec93a1a4473fc265214847af8dfa157db703c5418b958623e59f7bfb6fd7d9995b078a2dd8

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll

MD5 063510e07cfb8b97cbbcaf3ed4aabb03
SHA1 b2f860faf4e6ec25793199ffb42c0f4c3960f2fb
SHA256 5bde0a0e3a55f4ccf8f78e8a9923a9ac8e0a335afced1ef95e0ffa5ec46fdcbb
SHA512 c53813866afcf60e403ed7121e87c91050a6c6e8062f2d8a1b42b21c7b36435bc08ee76d439f783420acf4c4d2f1c6b6abe4077396623ea3b8efef9c30584aaa

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat

MD5 41b09af489b0178d8b66841159aa3c71
SHA1 6e0dd17c6e23b05e24cfd7446a42787ab5ef7da2
SHA256 cb716c923afdb06fe32f42f98589ecb380e43e02dde999a4b4031d752c3b562d
SHA512 45ba90ad15bf74931e70cd0693b443dc28c3823a5fbf91b210f217f06f3a12aa6939c6fad0ab2ae33d324cb9e8c56b6526e322f306f6198f65c971511eed13d2

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll

MD5 6c996360bed3d6e78429da39b73e477a
SHA1 da6daacb42d9415fb4d21ccb6570adc5a1930ce3
SHA256 99e11ca2d8c4602043c866514f9fb2ae232c2d7dc804899e38f50508d420294c
SHA512 cfbe8a71733fac49056c9c5e4baddccba36d1bfb7f3e87585ca5334acda8579a9e91e63c39fd58a7bb5a81089252ed0c632efef04393bec85042c56975d35b42

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll

MD5 9828f59608a18295e1c09573be65a83c
SHA1 93984056780122fae0223c0ba5143a7849bf7f27
SHA256 4e3861b22c79e5bafb504b522d42a95fd58cfe04ca222a1252faee02457c0441
SHA512 9763d5bbd38b691611bada797e1d3298540aa85f35cae99ec298a05a7d6fee1ae08096829e6db7ba89a5159df52b42e52388448abfb3249ba506f4ef7ab4f3dc

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll

MD5 78f5881af930e81a9ffb246402b6a6e2
SHA1 0a0c687ea93a767ba0332da16065cc0ca94ce23d
SHA256 0726d155b657c4bc5eb65e518a3ffff188950b563024574ab4f257c057552756
SHA512 81c516b3dd21e4139459171ac57fc03b035b401c96413f9ad86afac4b14ede60548ae3ebb0f025882a018e78466a23fcc7db3f2c36478db36504f9ae2d8ddd81

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravxp\ravxp.xml

MD5 2afe89c907357759c559adf24e593038
SHA1 f697d639b7cc4438870c29b5d993b2a66ff8ba34
SHA256 fd83e6bc03291cb4ad0b2d463b43ce701a3dc169b7eae267579621c580914688
SHA512 c52dbbca41ce3315853c65cb70dcbde9dec8bf8d3b918209c926951ccfd3b7823edfcd361b49df175730450a1eb51237ceaa18d91df3a97ef45b18203a0edf0a

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe

MD5 ef56ceeafa7b2464f44da3b3a46702f6
SHA1 de14fdf17af68d99eb749099ae1229cfc0dd40fa
SHA256 64b80ee63b36104f28fbaa08e9f57709969ddcdc71d2d958318e192a8bbb3d4b
SHA512 65bafd8c355039569f9a421551e6cf8dc51eb5744f7ba02fb7c38e230a7d3668ce66496ccbc300f7a712d7ba66705de9d16bb416a5f85bfa5c34b2a363dfe408

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rscomm\rscomm.xml

MD5 9f0f78185c57946453d729604c7f3303
SHA1 50748f3e666e32e91486a7083cf44e41292226fe
SHA256 245328c1a66b852b97a63830d66fcbdca83f0d7cbc9ca5aaf3bc8c7fff9743aa
SHA512 1fb02223c45aae124a9ecc8d03cd31d5ad4d13300e2937ceebb783f1fbe80932dd14594ca1aa2208644c30384212e4ba68d82efbc1c6a525b3dda484e7a46e97

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll

MD5 bd57bcbbed105791aba2b968354e466c
SHA1 0ce61f54a520f7aaa220dceb5089d58ed23d4b28
SHA256 fe5be381bf4542f38fbc528af74d1fdb4f98733b8e0f44535420e9266cec76ad
SHA512 ce810e210d8e18c7b30234637634859d99a35adb69c4e398c35f93551c69fa5a79b9d0a77258b72681ea4d3e42e7cc42a02044c6543f0f3471bba39740d6514c

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll

MD5 b4f78b19eed6248a10f3031baac0b517
SHA1 aaa41077d2d220fa8e15346333abdb991c26cebe
SHA256 d03441eb400864bf9c7e258a3cc1c2f5ba603841b45188bf718e2bb9f2da0cd5
SHA512 599e0d81579225528e60bec5879c6ef1b101bda655fac893cc0598a37af70b8a49234a23ec9d4ff13272f297bf0ba5267e7a786631412bc8241f9a918ea8c1f9

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll

MD5 9e58445a57ead0fd320fcc58ec173c3c
SHA1 6b3f0e54f91c4a4d1b772b9ba4683c33364cb572
SHA256 254721ff502d5bf1e7fff09fb4fa9c302881ddec74e7f3d22aae321a54cb1a6f
SHA512 7da428dc8c928c559698e4a377c0f39c164d949d99d323d2223e2c794a4ca1fccad4fe2f159d5e95d25589892b3eb80a584af85a66921851fd57ce804bead475

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll

MD5 82387571279847d2324297ea4722e14f
SHA1 b618610a8c910294d95ac8c5dc70a6eaee3eae2b
SHA256 4c23f9b464132e5eb580f1db69a98b3368d57ac70cdd87d00e31e5211297f79c
SHA512 3e92f0cf3faa76153a08b9a91b6682ac54614ab4e043f2aefdde7d28353123a00d2e2f3ce27b1147db0891429fd691c022f3c19e71c7fd9c1a6e307e830c5c27

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll

MD5 6beba6b5b2e5e5ce840cf7c02f3fb657
SHA1 0922e75132dbb8a600763a7145eba1ccf6db62e8
SHA256 9a83dba0226cf8ca622f8cc135763617c5849308d1a6807117190f7783e12aa0
SHA512 bfe7d6066405d0135967816a792c44a3fc03ec05ac77dab3bb0d4d52787741c523a35e7e4e89fa1d9484a7e5f83810c4006cd65a9b59a25f9d39877643f70874

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll

MD5 fbc567d59b385341c53338ca58c3e248
SHA1 ff542e45d92f88c15b781f976ae0641769079605
SHA256 7e5d24f765364518dff0e2523daef720aaf258b689a989877f63b5a2dd2baa7a
SHA512 a435e8de812a47650f1d4eaf98060e4e90589c993b1d371ddb712c5c7166f7219dcf2d7bdba1b482d5e5487d68c419e99277546874a1e7d1b55173f14bf39276

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll

MD5 7a80c5c9e6955622d45ae9bdf86472ff
SHA1 1f964d7c2ec962fc3817fb013dc19eefc133ec3d
SHA256 b9bd4dc7254ffeee8086152394792bf4755c6f8ac598881d98b012ebd7d56f37
SHA512 ae8b7a9e71af3f577a5557b42aac315baa3658ccadb9d195663c25d9df29f3132219bcded83fe6434f9608acd32e98e9f9bf8991cf59714ff07975a6e4ac2e5e

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll

MD5 4918a3e5256d45c5ca1dea6a2592ca88
SHA1 dfc8c332ee987b08d71f02e0c7d6b4ec70922121
SHA256 350885d7958eb4e404561d4e7a338f5abc290d937e1b80dddd2d0bd13ae44c6b
SHA512 2ab98f8a1393c338eb371375b3d50092e7d887c745cd14a0fb7542cf58acdd9a14bf010c4e2eec7fdb58590bc0016086e496001ed689e08543445cf7c0d11482

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml

MD5 fc8ce8acd94acc66ac5aeb7028819ca1
SHA1 73faf9d2e074e088b040134baec453228033a908
SHA256 e83b737639c43f3550d67f83e293d002ca391d3dbf7ef293b4926ae34d92d0cf
SHA512 022736133db851eed86b470fd5a95bedc859b822269449f4ff0aefc987ede8e76e12c7a27c1fdefc8e8b9d76797024940126d050d5ccbb2d58ae1f4dfebc709c

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe

MD5 f5857084201bd2f578b2c04c12cc2ac8
SHA1 a557ce58deccdd3d2a8bf7e60c4ed2871e9a311e
SHA256 b7dde72860964cf80677f9044a98c6f6e5523d67bff7f583a064e676de310610
SHA512 0f782d647c8dee0e762508a7896e11bc8cfd6be5b778cc31208d4bfb3083f79bc0d6e2522ff5c0f288a3f3172f6a3495c98b3d6e93a1881281267601194d49b7

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravlog\ravlog.xml

MD5 0d73be899edc2c5963c0bbf4ac24a508
SHA1 3773c08a662c735cc43c09214e85ea86526d403e
SHA256 6d237e5a59f6a45762596ea13dcc77adb49563f9ba5cebc42203cbb1a01aac6e
SHA512 0500179bf99180983f3018afa33a85eacab071d4a7253dd7e014ffacc88c4e5186efa23c2634ed4bd2c9c447392fb50eac53d7e6278d2c9d447851050ad51729

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll

MD5 08dcba43400dc71b8145a30c6f0b55da
SHA1 52be40c5783f0ef15f50c3b6d8ac65b4d3af9213
SHA256 f53dcd481c81f91ed34cd36837b5c493453dadb1c4a566e0e586d3776a2ebf7b
SHA512 591ef8e7a5ffbb924873c07be062805491b013b9dfe56f4bce32b0e8cce8004a4e1e62be249736e8d66256f398a40596d77c8757110de4dfc07958dfc716cfc2

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravconfig\ravconfig.xml

MD5 c3ff13e452600f5c7811ae9237a361f5
SHA1 581fc60f8d0a361dc7b20b71f72ee73ad8ec685e
SHA256 4f5a62dcfbee1028e8da3323f33688d27f85860a7dce8537db22043b85705bc2
SHA512 a993a947acfafe434d7850d4de2fab557aa8ae1c918d3f80f3cdb166ec7983d4bc08d065a768d9102ed9d2efdbc63569e265aa4e3cb81e9359f158355c0c6f72

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml

MD5 c0e6a9e9d67801982841df21513dbe44
SHA1 e5fc88dc096b822bfcdac5a518fdcd57a098a08d
SHA256 f86523f03eb839ecc8f485a07952bb8a319132ad669ac1eaaa598e455b1315ad
SHA512 130035503fa1faff86fe79b9172566b89a0b243faad2e62a7aeecf27d2fa9757f981115456de49e0b838f0534b4f57fb725800c33800f7ec38f619c4b94a3d68

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravbase\ravbase.xml

MD5 7a53d889e34d013977fea1e3672a064e
SHA1 058a04a47418a9a0b7a23a5f3d9d8f5a8ad00c16
SHA256 00e3fd2987a628f2485b537a86c319133ebe378cc1be33055a671eb7a213ca0a
SHA512 b829c91eac895cdf2d5e4231b0f1d50cbc936b7359a4cca067bffc16bccb3824fbae361add510d30dcdfd3255d6b351a789389849e8e0bdabd53ff70dcea995b

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll

MD5 249a270469f151ec278c95d63a3fbf79
SHA1 c205e1880137378c317e79c2422085543b6d0786
SHA256 1020d6a0962ace4883b726e2d1e5ab4cc9cd095271ae5052fecb8093ed685911
SHA512 8cf2a329fed754e4a1612796a9935820c1bf9f2557ca41c10d497f3ee833be02376eef4b0d8ef4f6ed29313160835bbbcde99ad29c043190893e00ca98c51567

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms

MD5 b0d653b2d3c0714264432a97d4ca4ccd
SHA1 09916612c73e70bb81f5555eb4fb2b352151b5a0
SHA256 55eb59274dd816f183a82752f24e2d803c34f9738aaf370d6ee5ca56a8607432
SHA512 7badeedbc003037f6f9b2530c0c1f8059f25ec2315e8ac209090260d8e66ce409e2555236ae0ab85c33b227b8052185107c6b38d1eb75f567fe5231f99dcd262

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond

MD5 7297f74e052d429c67c9427513b8426a
SHA1 c938981e582d7cefda1edb97774d2737b18e71d9
SHA256 40cdccdf76248f7abcf0ff13194064cd7c430a80e88a33eba8459595f814a1b7
SHA512 a6c9f47d14341353c25368b2de5b9b5f1b18624fd93ca1e2a5d33b80aa601c13b9e3b4147beab5b6f336470a3ac4de562e3341605b36d8ebe823729a9ec38daa

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp

MD5 faf1e870fd2e531c6c819c663ebffdf9
SHA1 d37038e351d9b6689ca70f920ee3cec0f85c3d99
SHA256 618e3e299dd914641f612746f0fdab2ed1a7d64835573556b79cd5f462a53fae
SHA512 490e78c795f1ba79a1b1a6e409b92ccaf1a97ae65eefb16025d134fe8a482a0294e00b9f619384a671dc8ef3f2706cd69db90a4b92c228854e85d2c0c870cd8d

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll

MD5 7d6bc107cd29293b274577d755662d05
SHA1 02b54b2e5c5b8474f0046f381e2575cf3cb7d27e
SHA256 17c758efb729c504c73e600858617162352786de2d89b7694e9c3fffa5bc0108
SHA512 2abe890eb20e6fe0b855af5db20912a31588617d7636ec699d1eb8a2a31d019247f7312d23245b318d5c1480df2025a38bc6cdbaf6a5f8ace399456137e6818a

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll

MD5 23d683209cef821f78ae2751d07455e4
SHA1 7ce1772b8caad620dff01fe092a34f6aa77fdccc
SHA256 3a85de76fc66355bc19c9071052850d710a5407391aa0d59e7209c638df133a2
SHA512 6a5c340e58b2d1fda6b1eb8d5d35f63de0a780927f25492bb3fca700731d3c0b2432ee046716862868be5c0a5357a4fcaab6b33c3fec0cfbc6fc19a3d2a987e1

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\Repair.url

MD5 6046caca3f94704bcbc38771720fe5bf
SHA1 a22b39351e86842fd5b64f6a57d6659655439393
SHA256 cecf6a5e04bd097fdd5cfe9b0739e0daac8fe67a447a34de24e4a7dec54439a8
SHA512 a24142c6d8caf765e855a89649bbc91f5f6f48cc056472bce45a2aa4deb7d2e428896c07aadcc3685f7b10c95ff33e162c36a8a172172ac2b5f6ccc0c1c7e8d8

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\url.ini

MD5 e40368b60a52f0c504975b0ecc1922b9
SHA1 ad338fd96a7eeb100bf36f3194f35fb96478c8a6
SHA256 57df23ed3d2ce511b05bf897b48759a6c18fe99e3dc886b70a0fd9ae1af84b24
SHA512 b63e0f25e3bbaeb0bf0372ed76e7d0db4c517e44c5a1dfa050f138ccdf23a1a3d3f8e9272a45235e2c170616f8c79c8c5f19e9285923f63d0cc9959810647991

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\setup.dat

MD5 d3b9432cc4ccf146a47c36e4428ba2c0
SHA1 84d10a012ba42f11a56e2a484157e65c2af6573f
SHA256 cd174900f1b078622f44d747c129d07ced961f4689a74c68723cb16217c7553b
SHA512 9dfe2091c4a215476d38fdf30abb46a9a51e6a52d1836d9e4c45b87a3b4b3cc705d76c91a7a16c11d9d0bb3900cd1c09f2d39e0ff48c474dd2c71cc7bdb04d62

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml

MD5 f36cd6978ff5aa6b7bd2d773f6c780c0
SHA1 18b488881ee227bb1ae2dd6176a56cefcb21d2b2
SHA256 490db005887b0edf032372723dfb68daf746c49f56190d0b84567154aa638911
SHA512 bda73482e5b182f9671fcad02f9a9bd80300591597d8f0a2afb5dd13c5be1c522fd5ee6303c170c87cfe3278fca5cdfbffb39dee2763fa5c4ab4887eedbb25bf

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp

MD5 56f7ca81178b3ec4a6bf4efe353c6716
SHA1 4b8cdbea684e839ac7a9bb06568ae25be4a607df
SHA256 5021d9981ff9428d9dc182e8ce068af337d761aa5bacc027901645ca0933bb8f
SHA512 d5a507aa929c12f65864c79f7be22ff26b575de72ebf9283fb9d54c68f7c88781ce105080d264b5dfbf94fb3569ec331448362f4cc1217c427e7261dfe6c3e94

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp

MD5 ae9f062fee50f04960e6276bcf968175
SHA1 05f3f49addedf5fed0142afab10d3eb9abdbcd8f
SHA256 565f77761ff62d386dc1953cccd8293b7e2d17bf09d2cc9e68fcd253881b73ee
SHA512 c2921f663a6768b4e6f501c9689ec10dfffc95485a986ed2f894b159cbc2edf6d1fe695081f622d39c7dcf17dc2b9adc4cc2b975b9dc012029be2a81083a6d47

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico

MD5 90d4e96dbbcff68690f37736655fada3
SHA1 8861a1131de2774c0dbdbda1b005fbd312c95f08
SHA256 07d0569acd1710efbc438154c1f39f86009731922dca81960629962f809184bc
SHA512 1ffd5ff0d78a4ae308cbbeccd40d9770f63fb96b6dd05f7587c81df558f8f895b95c263cbe556037186e04f11828c8f4683e953e1a64ebe813c5702311373799

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico

MD5 02e9aa1cc2496aa63a66aea38d93c8bf
SHA1 bf2d921b1f65397db2007acefb720473e0f0b8da
SHA256 49b6b200ddb96fa9c95ede0927c3b1eb597edc0e21d0efe530ccefa9ec8f4010
SHA512 95d5eebdd847953c959da68590f77bac84ec1e90f94a30e3f2f7e6a9ffef2d4d7b9f6e23690bd3985d1397f56f8d1717f057c50263c50490f62ff5c98a1ff47a

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico

MD5 91e3e180c0f67e774520c3a471fcc03a
SHA1 e0e1f82c830773c236ecf00c3b592bad90c23b88
SHA256 4ea17a524e1989e300b8946953ce3cec5f90cc0dedb3d9ddae52f44aa2d660ec
SHA512 92893444441b82331a335b0f2adcd18b4fd1534e007b6cd055a0db4a3abc9e40ec63e8caec8bae161cedd813babea0859e0d2cdc072a65cd34ae1038e807b7b3

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico

MD5 68d18a0915bbda36e573d5dbb9e6ea8e
SHA1 16a4da44ada8fbe61848c325105d5cc4223c2320
SHA256 ddd6f70209b2960c838eb152d6e0c3f303fc07f7d5a82eb3c55bbf468527f63b
SHA512 4a8fa3a413e050e87aa35616ccfb466d8cf7a8cce923edce0211ddfb4d24195bb8dbb513dfc62f411d4783337dc0dfb10d97487f308e6eb2023587b59ebde0a6

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rav936\rav936.xml

MD5 31f41082399caf97599bde5b6e982135
SHA1 585df754fd09e85f8c961b68781a05715a49cbcb
SHA256 3c88debc932ff802bd0177936c8f14faa5650f6ebdf251e87f204915b4f026a8
SHA512 1246971e98463e6e07ee3950abee7e1e4847351b3f0960430ff0ce8a2a625d800aeef078cc638aa52d2e90ad38b0f75821a203453f7680c3c79e748ce91108a5

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAV936\chs.lag

MD5 b9d7ab960ad18a76cf9c14663aac7c1e
SHA1 f984ca3033ebed6ff4e0de881a04efaeac1ec127
SHA256 db7fde67da47f286247c6a1469ce88cd34b0d63e61210c47e964df845dedd955
SHA512 5ad2b441d92e3167ee98fbaa0934015abcea75d83fe5ba9d3d459a2018d96a6b483f0b6ace5739a7d16299f0c7471368cd4b01623550cd34688da68c2e1fb80e

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAV936\lics936.txt

MD5 a181e8c0010f7dacb4a184814067cb02
SHA1 c78a093afa455d715269a3b436de1e75efb3b73c
SHA256 2ea3a8709e5b5d0f0cdee2720f08f24bcebdacb7e763ad18cd5cec8da1562de4
SHA512 0cd4a92db12957c912d6e749efe863c719ed8142bfc2bd83421c3bbf4d2f4bcde65660ef9faa1308be2f4651a47db7aba71dc6729ff89ddc6db415eb3018957c

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\monbasedui\monbasedui.xml

MD5 1e972c5d54bc01e368472d92881b181c
SHA1 e46af971c571571218e481c1e7485bbe3e74a3ec
SHA256 1c475a9d996f4d6ceb15ad4374fc29b060f40f4ef26a886f1a64af3450cafb23
SHA512 aa047cc368c5476eada54a29de9601461c0dff8140e38a59f1d292c0ea4a0bf749daf74b60b0ed685cd9edcbe54ca95cbb0903704548a870c9b5d84b03ad0be9

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe

MD5 28d944cae5632248d3a546aaf7601160
SHA1 f4116371e80ff3053e4d11d13fbfef69b2c4de60
SHA256 43239bce0a3200c5d61d968f8e130dbaa3bf987e02417d49191c72bbf1636d4e
SHA512 2fd9c1e01c6a66d3785d056c23853fac3a65f4e076ecc9b962181e5f501091d95c672ac544a5a0731014295c962417a57a7d1d022eab4ce4ba25cb3e98e2b010

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll

MD5 0a44f63c07112bb325aac94321ae8ff6
SHA1 af17ce35de0d22b0202111e5bd34cea446f428a4
SHA256 2755e8e05422ed75e43bc83d57cc8f441b5f7063ed0ea01a016384f3ff48640b
SHA512 c67f445a81f29463baa497f7513ec3934665541bd1e00b2b459e81190b90f6859e6a9cd38acf69e038c03c2a197a2bbca2a888d555eae98dfe06790ba91c6490

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll

MD5 7f06e8ee5ed127b9b4d33c8fd37d7cfd
SHA1 b1bc08b4ae3ff433e3aae8631ce1a0f0d351d2e7
SHA256 89a50e77272251558218a924a12bc329b73a4eecf67b341f194f05dccfdffa69
SHA512 d22558233d818ce377bd7e8777786928c2c2e429d3d67b7a9429fa686881979f42434855e25ffc0eac94bf67d810ad3c4b36cd22e6430608fb7fb890614339dc

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\ravmon\ravmon.xml

MD5 4f5d69f4b5b2ecff1a755be08fca655a
SHA1 e840f09fcb466629581334ffbecb2803f01f504e
SHA256 75b1f9d9ce451429e304d60042a2ca5e761d0adad41f30fd878ba9e5756b50c6
SHA512 7d898d4f4c1974ec398c63f714916b2670ac36cede25e33f7bccb6629f2ffec62a21a0f8167ca1677bb0b03a4a29e7483d8347bb8837bcee749226ee085aed53

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml

MD5 5858af21b443c4b0fd0948bd9cb3150b
SHA1 2e3e11aebee04d5dea05c7b1b4f504e90e888b95
SHA256 9158d331bc42726b0d6f5337f3f8c5921845953def1afa429e4b5145b07a83ad
SHA512 1ed1480937c1f3a4b3f9a12f2e135e96d2b6c0fef629ab4e04b3226ab3411bdf2db3f8a728b60165fa93cb3f0be9baf0be3e9aca7a040d7524a76c0cde7a6ae4

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RAVMON\mond.xml

MD5 2064de07198e0908e7d836991bc82d2b
SHA1 acc9932ad318171be8ed7599c2de6b276356fc2d
SHA256 f0d58798064e24075f39b0c65f5640391a675130162db14d68f95300b59c9157
SHA512 63bcb5497c7cd095292649a09df0d5e07dfa693a1d5b84f330f46cd7eb8aec3ceb02291945a8929e593d5011cc0630cd866650b48f2da8cc1d7d48389c1b1460

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rsdk\rsdk.xml

MD5 f187dda12186f9adb6d4877d70fe57e6
SHA1 c843a4a2cc0e2fd87ad339927f2cd3af00b6a317
SHA256 df1b54d4d2665e9992505861414500eabfefdc9689a9c217dcd77939480c68a6
SHA512 c7809b1133231bd5d7bee77ed0c3d900ee7d43f7a352cdba73d9fb556b7799da76a27c28f4e6d7405f1a74904eba69dda99e9a28f54521d3aa4e5ba2e8b4ac12

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll

MD5 b19eaceaf35f2db4976db8da259a498d
SHA1 19e0f49dbd10b14567fdfbcd9af31858e8048347
SHA256 99f3d0e3238060b0e275a0f841b592232222619b870503164bbfc78a687e5180
SHA512 1680d949b6b37e05761de41b052c03135e2fe1c33849d3d3289a5959ac84dab0ac546a60f3f29cd4c285d2c395c0b09da074f32d098e1e17173a7857447ba7f5

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll

MD5 3cc9f8d9db63e973433637945232fff4
SHA1 dcaff29e7d31d6f308c2b14aad587b24ca1fc70f
SHA256 b6eab0aa210dbde66559069250836862be214bf6f27eed45b9b2ef123ad8383b
SHA512 518de27287bb01b056924eee01cfeb6dd4623f108ba0c8194fa01baa17a23dded1eef476a50544fd5c4def05f7c14e56f117ce7960fff71239c28db771d5ae47

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\comx3.dll

MD5 904607ed3d2e8a29c13dcaf80cb311a9
SHA1 ccda8a44dc90d2961f1e23860d97629526186824
SHA256 efa373c1913e3bffa44191dfca239a97746e5f08612fc98fedee3a8504e31699
SHA512 6b51928652af987efec583ad91194166a8b8e26a615659522205bc10cd28546e486e5af153fa341ecc7c4d0215f0c8166cf7ab047986b4576b96a335f64713fb

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\dfw.dll

MD5 12d2d81f07d7557cb4fbe3af6a3ea9f6
SHA1 259f2d593c236c009a97745ae2b462fca1e1b12a
SHA256 f79eb76227f6088a30d9ac620b48f5d03098e2b78df19e06b7a2fdca559e426c
SHA512 1dd335705aca3bb65c43d84c4679ee1a2b118422e6c98da29633bf07610e1dc3336d60ea7520d1c3b2b756087a16176b1da690dbe163c28a265fbe311c96ad6d

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\traywnd.dll

MD5 412638fde23d2ba33aa194a67165866f
SHA1 d163c87a25b97cf5f1739689ad453dfc959e81ee
SHA256 b3a26d1d43280636f9c909fc71ddb7257085c024966c5948c0c22ca0a3c79071
SHA512 8fca4b2594bbf4fefff7a372a7480e87072a47a09e3a44cca2ea239661ecd6608a4e39f5307ed42608f7fcc49aaa1bbf801b08e50eba347d73191c3f182a2e84

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\procenv.dll

MD5 2349983d784ed407a64f274acb8d4b18
SHA1 7599976142e0bb8f07ee36c81337e02d59e70e28
SHA256 317a4c627d4820c44c49ceb7a805971644d9563e199edc6ccc626adf77f8086e
SHA512 57b1dbd0d2908f42274ad4f221ebe550d35bef0021d670c53f76efc5debb4756120e041fc2d6b02ffddeaab5fafac1f1db3cf2b071b59a0b987b5d759947eb33

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSDK\rscom.dll

MD5 5bb8c8a5a7abac3b8478b254956ab580
SHA1 98d6271be71802ac37b8c19daa88839f4ebf5b66
SHA256 2d5e1b4bcf5b5ae20f9aed61b342861290e8d520f09be48c1fff94a97132e282
SHA512 8a2a641b75bddd6e4d317fd9451586dfcff919c8d1e6d7aab715d10e7812d3a2a34ff06c5b21ac01316ceb22133de9306467dd1ad56e661cbb28dde915f1378d

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\mscrt9\mscrt9.xml

MD5 6c8b39a852e86ccaeba6d0eda81fde47
SHA1 a9bc4970bd6473e42a3807b9c1d10e152f124ef2
SHA256 1f5b87b7af68e38d66fca44b1d6518fba769113482280269f9805974d79dc858
SHA512 043bdfeffadc86c3c80471d7f028a8576ee91778a3181884fa33c35b67d5bcfafb8196813b839f40a657b3a6b52f4341e024d09b2f1a4c08a0d8f9fd01938bbf

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll

MD5 f1f9eeef647cfa62a7104c054ce0999b
SHA1 4ae6a48e67b76fa91252c9ec6980951469a007a4
SHA256 e77c7bb47f927865e7b4d689172321cdb70e296bd9a77cb64ff5c405aedc6973
SHA512 1076b7c34257b9efeef0597000e93253741fbcf1fc689ad19d295f07586fac439ce5318bf4c461fd6fd1ad1d174f089db8ae50a72bfe82c6a3d6bce87de0eb38

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll

MD5 874c8b1317c58ffe62d4d6aa591eabe2
SHA1 b96ea022f921890b7e13e3b905ac606032682693
SHA256 a928241b03b0106f57625c78811ebd65262a695401e921c1425ab6596d5dc202
SHA512 2fe829a25d4e178931b71117679e0a2c9f88a2353e4971a646f28b147f7210ea1eaa9a617caf732626d8d418e69af2968b14e2fd1a9517a5035c877efaf88f90

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest

MD5 e18153853187cdc8026e0e1275ad1209
SHA1 3cffef88ab75f922313ae8d8fd98377b00538ebe
SHA256 041c76639c796dc5781e88cfeb3f85652c4286b9fe9624c6161e44397b548d05
SHA512 653f0cef5c916cba7f726a680a5101dc34c3540b39936d693ba7d6f9ac0395152ee82465301e9673779d9029a99762ff9e75fc3d1525e36c9d200bbc08c8c1b4

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest

MD5 b41644a01c05740576b4e77662c7e86c
SHA1 91d9a44ee27f321b8eb844709555e5cda4d8d469
SHA256 a9a98fc7062262a47a1c0727339c760d18589b8549e4267762f7f4c88a103632
SHA512 c2b29ce13d2c84c4165196df1a561b1de35938f93714580b728a2fb2af7c4606abc410077645261250abf73e66cca64683715e3c3b1aad6fddffdbaefa8704a4

C:\Program Files (x86)\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll

MD5 78b62e4c13378f737603136975a07e1a
SHA1 fe49df71b950a304512a3633f7e3db9380664855
SHA256 7cc6c299a20b2de62b3844417f085fce7fea32cc006a10658b3e4815b536329f
SHA512 dc315bf8cfc93a9001e023dc65ac4d9c882ea2da0d8bc4a2fb8dc4783c502c7ec8b0ed0d917a6b9ed398c2f63ca6713cdb266c25950e4c2742f02b01b7582b62

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\license\license.xml

MD5 31d5f7dd00ae66a4b9d78e371f1ffd02
SHA1 8e543b0979af8f78c81aaaec17d2ccbf374e6945
SHA256 32af9c3ae5962e86c17f0d5ab753a1b6e5776068f5abadfaabcac711d0bd1885
SHA512 eee29fcceb9344d0841bfb8cdcb2b65cab12391d83ad9bb7d1615655b34a4e4bcafd5c34e34c883d4883d8b03d815bface7549f0277bb45d5e3915b6981a0ca3

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\hookbase\hookbase.xml

MD5 939e26405c6ad15f11ed93d8121d1187
SHA1 adacde279889634fd5c9226fdb58262821ecfc6b
SHA256 12bb0e027c14f5b3d086235d0f72d316b592054016c0eec91feefe7d7efc8865
SHA512 2497f87c29d7587f89ee6d3f7264d8b50a3e33b90cc3ac708ba0daeebe11a9f35c7a72f138f6c537d3d4ea63250c6e8eafac6bc51c9b6f05bb1126fc5ee9698d

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat

MD5 f91bdfa69dc80134b7bb34b3e6b6be77
SHA1 6399f515fd0951a9e9afd5b64427e4aa63059481
SHA256 265a7937e0d6e0f79cf4d41872a9361a3d57c5b08780c899ab7b85fee97a76cf
SHA512 741b4c1c25f66f9b647bb4ac0795b995fa72728c78099fc6f9dcdb4438f37356b9c0dc8e3c3dae49ad46c9aee8cab5a592d0cbe8582812c346225e8840aee457

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys

MD5 2309b63214988450a91573debf9ef11f
SHA1 59ae0ac15e8f6ea3ec2d634768c2f67933d78096
SHA256 75e5100b0e6ea08bb4e12fac3e9f26a49a2a96d684d2790dff5835e10a14a8a8
SHA512 285fe0409ce4f2e16a8e9255b7c987647954800efedc6b93e5ca0ec136a744af629fd6d50f4e4a2d12031e2f784e8830bedb9a1404c6fed4377c374e7712cbbd

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll

MD5 1c013e59a1990e0fd7747cb2d5c69bcc
SHA1 f2c43b30928e33ce0ba265698b3b649137f24515
SHA256 e38714a7462c21ac7c7d4f9f3d8738fc6d291a61182ae99029c00dacfcfb6159
SHA512 9a48c677df212f0319f3abf802c4ec2b4ebe8e2e07c45e50c2f6477cb844722445b17e8b77f26e2814a08b2845d9f0238e9aed663444de8ce578148072aff10a

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys

MD5 595587c6d7366726203885f14a1dfc32
SHA1 feab44a2dcd6df5f6d5cff56a0ff81efaa7b3dbc
SHA256 4f269ea78ec88721cff5dbeb9d1764cecba2bf7012d6e9a07fbf4a10614e9b44
SHA512 2f6bd58dab02abd0d4094fcd1245a8756fc64403747ecc122cff08cd613256dfef0e9cfec1ccfdc315f6f0e6a3fc41c5ccf7dda0044888ba9bd4939fc80c3dd4

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys

MD5 2649f027aa2dae21a4d87419c7b98e46
SHA1 c7b8ed65849a024159323d57df00362acd65c350
SHA256 af94607edcd8fa2a4044e3ccdce6d055d182aca7e2ad66a0a907992d8b4b57c0
SHA512 edb9a74b1238104b2b33d95292c5f82c7e8f7c5a32decb71d942c1523223d4072673f38ed5b3025975920052e7e5ba371791ce51109b6217602f679fcbcbbeaf

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll

MD5 1ac62583254fc92a143c4780489c3762
SHA1 7adf68ee68fb33c98ea38ee3ed244fc04264f490
SHA256 8f58a127bda67a27814d23b10b8c8bda362a1026713a2a9fa0667bfbd90b5abe
SHA512 16f8e06527e241d88fc545b2af753749ac00123f78ab102cbe3c36f262b44bb6a26bd205e0379e244bd43c51158aed4ce374b7c916c206788d38539faf8df7ad

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys

MD5 0c1667ffb5d3fc4126ce2ada1cdf400f
SHA1 f6ee331794bab13eec8cc251a7f971ee5d5cfbcb
SHA256 a09d0a2b85cee2565c33f63df6ec13ac66e8c00562d79da94e1a0e46d2da6342
SHA512 1eceb5aeefcad7b43161bd4cee9b9835fcaf6c3e706a69157854e59aa467afbf542147106d6a68f61a20c8474debb867c35f24f508a7e5866690e5784ecdfee9

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys

MD5 e029574dc4096bf8b124ce0e26708e7a
SHA1 04c6f87005c53226564c1af5f1c3cad0034218b3
SHA256 392e619387445dcd8926270c6b5589d488599a2e5d1a6c213f37117f7cd05aae
SHA512 7c3b5bac4d41ab82b81052c04db21b589bc38189817fc490c35b0d84d36f2b7b7132c61bccca9840b916c16378b27feb85a6ddc89c89b11ac5766d8d31dbe8f5

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys

MD5 f3d76d052f6a2d5c15dbf6bba7d72fc0
SHA1 9f6264f758e381499585dfe5891d93ba4d194dfb
SHA256 768161d2240b6535da281706f20dec35511cbc34016ee9e79b8ad1b94d7621a3
SHA512 7cc48fedd085d742851b1a18109f42757a5cce2a05787aabd45109ac03893effa79d0623cc4716f066177ea0bba0608f6f6804d69a85a4f502a458a293a7bbc2

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll

MD5 5a866622a428d8dd979751975ab881f5
SHA1 bf3817573d33f17e8542e91e849c33624a6a0995
SHA256 ddf4ca96a8526964748b2162fe1402d7cfcee9a2c9b8dfd1500fcdc7ee935cdc
SHA512 dfe110470600c8e1f4405999942961d15434121cfbf258e3391091ae27ac2bc5da6bc6b9b5c81a110ceb09f8c8451f1ebfebb86d51e0216eda8b52843419408c

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys

MD5 cb13521249813c485b912bed9df94774
SHA1 5de0be2af2dce35d65e4050dc1b0d601415ecef1
SHA256 95e678a577160c7a2967767d5f6c37cf5ca4bfa2ea01d64fcaa804e790444ade
SHA512 8718e2022ba058c2794efda2786a99430f99fb4bf3b7f73010ba365e32dbd006ef17b411779595255c14290b665ebbd415c886d711cf987761ece86b8ed4e464

C:\Program Files (x86)\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll

MD5 d226c6926ec3aaee6a144466bdf8dc99
SHA1 83529ea6e37fa3623d77057e0aac8d6fb02c622a
SHA256 f0409fab740df7b8331c9c88c558dd7365e4cbf2b0358af9debd5f676be2fbfb
SHA512 65c8f82c32c614614ef970319f4e68b6aa3e2dad0a43372ddc7ef0393ef28c2144c96e1e8488cc4b4bffb0ac7bde4ccec23ca8428f23f0b3f01a6c2488fcc5c8

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\cloudqry\cloudqry.xml

MD5 f5e0173b1288b5e579f23df3219d7223
SHA1 8c043a16cccf0f36f70b4c6d61cdd0865f06b2e4
SHA256 bc0f5f64407fb1f2d4548a96509a85c9556ef15995daea09eb6c6b3903982555
SHA512 48f48a134044c7d437aacd6d810c8e562fa9a831a7b087b75ed651d5a6a6b38c71368762a1138d089cb3e528f3ea35560174791682e2fe640ef602f2ffb9ba61

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat

MD5 9857450cacad67862fbfe4a65352573e
SHA1 fe8e6665c9292f7164040323e98faf863f2800a0
SHA256 b19d3acbcba17c73612ef9926bbebf96e3d43d2d9ac8f9b4c2a55802575b220b
SHA512 4961de97de2bfcd2cdedf9381759489b0f3139879ccd18b87571f49de026ac3c3bd9288701d27351e8810048208d8305dd9e71462ff3821ce7987d4e141df545

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll

MD5 0d5a512acf6fda7d1db742a928a423e4
SHA1 007c67222b554dcd727610a103856c1f3dd13abe
SHA256 526519e489ad33cd8e300848e7e89fc76e1b5c33545066e055a7199652b1d3e2
SHA512 7cdead36c951397c18ccb381ed57173c27054f368facadadd5dc5f6317fef2be28e3922384bf82864f538ebc5e54d417c44eacb8e2f5db6392a070735ea33c66

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll

MD5 0f0aa3f8b1ceab59168724a6037c8a8b
SHA1 7d348f10f2c68eb1c030802f589d18c574ae2c2c
SHA256 2156f089dc651792fcea339f07eecc99abf71db3fac0322e033d6ccd2d104eb6
SHA512 9211e2ad148010bdc1eb315f4245019b2c06396bde8a2f6350f7bc5dc2f837269eb20579db6d2715c2da001e7b4f3aedb9734e951c736c3d746362e6e822da79

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll

MD5 9941a9a12196696c1fa9bb6d6442d359
SHA1 c07ea10ac14b062a050c1aea351880bf5b1b0bc1
SHA256 d9fea6444d2dd5384b3a91143856b3fdcea71146a3891f2f58aa2238332ed6ae
SHA512 7e533dd4c52272d7cf8fcff1f9b20c2a68432a3864d08a2d814079ba957ab644ddeff01b889225aa2e802897605933f80817aa5b6a9efa7db16b151f17274670

C:\Program Files (x86)\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll

MD5 82252df0fc1baafd24964731f156112b
SHA1 536e4509882c3caed8c071ee6b5b961e96c44b91
SHA256 6a43007dd32f50b8353bf52238b970d2b645f51d578ac1fdd39b8c58ea0f012c
SHA512 20942a0e098f80cd6bfb8eed6e7b8b77ebdd718e7a940d935d3fb3755335fab9e8bfaae4c6ebe445e43c5575573857c03c8c801318f8022a5a346699d38d60cc

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\rscfg\rscfg.xml

MD5 cb1cfae833ab526d8b7a3fbfb0512c0b
SHA1 9cc8363a0828af1212d38c91f74baa714559b946
SHA256 50a5aeeb5da3eb81db80f197e633312e08dc9118ad3237e887803281bfe5d3e6
SHA512 83ee9904df7c4862409dd00c2a393272ee5db8edbb1d16ca488fa2805563e49d9d79432d04be844dc45f3ac048b7acf841bbe06de356038a2eb69f6f5877886f

C:\Program Files (x86)\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll

MD5 e8c78de68ec8e77e27af803074b08ce5
SHA1 405abc26a53582b6ae05d61d2518ddd735c85c15
SHA256 b69432de32ca98a7919b6e57c8fe963d3ecf3d86fe4d3873cd98b9e398f5352f
SHA512 1c19279a902180fe1687261bd5b275a22383e36c3609c383aa84dbd5aecfadaff4576b23a42d3646657d3cf8faaa5699bd2d5209f742e60369f1d03118249e56

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\_rav\_rav.xml

MD5 b77d92dd92b9da87177c63cfe1be69a7
SHA1 2eeb99eab6e60185a2af9a86cd7aaef866f370d9
SHA256 901da08215137b8e3c38bf6bb6d9adfc127a92395c9560803774b37046ad7de9
SHA512 1dff93139d3a4d903d2cb5c83307ac252c1b8367658282b044c60369ae9172e7aa73c95744c93a606d51414f6bdfbad8636e5d7fb3bd3d77b08adb23aa39956a

C:\Users\Admin\AppData\Local\Temp\RsdSfxTmp\_rav\setup.xml

MD5 98c242a2d7f5c0e35f6d76c971dd274f
SHA1 adb024db0f7bef93f8e3c70da394c6cebbf55458
SHA256 065321833b123e6323ee5d9fc1d0109f68c6d3ae6954eea75d58d9f831fea785
SHA512 8c88621134cdf048f4c9e637fdb8d2a69c6167dfd1ef3288564205fc61e647957ceed6d262565eba0b1ef129160c02812e4630fec03c846630c36508755d2c23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3220-1382-0x0000000000400000-0x00000000004C3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5fa91847535c5956d08cdc6665bc8207
SHA1 ceb7c9db6e4801049c5436ab025e2fff9277091b
SHA256 befb7ff44040bb3f04ea4b0cf6b3d9910dea78be49475f62d614abea06792939
SHA512 d13b34366a235ad514c43ceebc43ff0f3bb31cde62684585382f4c67e2481cd4b995274c1791e50d7ebcba5e0fb04c42cdfb10f123a27fabfadc5331bed4edb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b2792220e7d7f8d207f66767f748c571
SHA1 723e2992dc30104bbf48954f36b41df9c4c2dce5
SHA256 e16ee63098f745c3edf31eefbae7299e7b9d966caaaccbc1ffece89916931d44
SHA512 db7f2fa4648cff448b2b6eefbc2935fecea86acb6f6120481b925101a71844004d155ccfb298544d87902d894a85f0af7e2fe8d0ea8bebfcb41e422f0f50a104

memory/1904-1397-0x0000000000400000-0x00000000005EC000-memory.dmp

C:\ProgramData\Rising\RAV\RAV.ini

MD5 9b2c3fff2ac5897377b0c7bf1a5e2157
SHA1 3abd5bb403d9bc32ce461e0706cfdb5960e44974
SHA256 e740b098b9ee06a803fb7811d2e2df0b259d75451e1c7f207dd55ab4ef3ea87d
SHA512 b4beb4c5f4b708cd9d2b32c5516a13d0388e39292102c6140ab6ea730f50f45bfb38a689499f419012135acebf0fe65056f25e3fc1e02cfe94140d065adc824d

memory/1904-1415-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/1904-1427-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/1904-1441-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/1904-1490-0x0000000000400000-0x00000000005EC000-memory.dmp

memory/3220-1507-0x0000000000400000-0x00000000004C3000-memory.dmp

memory/1904-1508-0x0000000000400000-0x00000000005EC000-memory.dmp