Malware Analysis Report

2024-10-19 06:19

Sample ID 240624-wejkeaxhnr
Target fasttracker-6.2-installer_1wy-uW1.exe
SHA256 1a3c8cea2b21f95ce83d6e8bb12e91d92ae1a3b53300c4998ed55905ce5de681
Tags
cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a3c8cea2b21f95ce83d6e8bb12e91d92ae1a3b53300c4998ed55905ce5de681

Threat Level: Known bad

The file fasttracker-6.2-installer_1wy-uW1.exe was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan

Cobaltstrike

Cobalt Strike reflective loader

Drops file in Drivers directory

Downloads MZ/PE file

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Enumerates connected drives

Modifies powershell logging option

AutoIT Executable

Checks system information in the registry

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Script User-Agent

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-24 17:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 17:50

Reported

2024-06-24 17:52

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\rsCamFilter020502.sys C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsKernelEngine.sys C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File opened for modification C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
N/A N/A C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
N/A N/A \??\c:\program files\reasonlabs\EPP\ui\EPP.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\program files\reasonlabs\epp\rsLitmus.A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Windows\SYSTEM32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\UIHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
N/A N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
N/A N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
File opened (read-only) \??\F: C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Modifies powershell logging option

evasion

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_66F532634EB780F86B16CC279B9366A2 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_A9EE277304DA2D14A89C02B3BCD726BA C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_A9EE277304DA2D14A89C02B3BCD726BA C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_66F532634EB780F86B16CC279B9366A2 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_0B30ED1FB81688B36E482671AA637917 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_0B30ED1FB81688B36E482671AA637917 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\McAfee\Temp1556999025\wa_logo.png C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\McAfee\Temp1556999025\jslang\wa-res-install-ko-KR.js C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Data.SQLite.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Collections.NonGeneric.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Temp1556999025\mfw-nps.cab C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-da-DK.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\settingmanager.dll C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-tr-TR.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\dataConfig.cab C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\celebration_white_bg_color.gif C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-cs-CZ.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-es-MX.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-it-IT.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\domainnavigatedcounter.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsPerformance.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-de-DE.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast-bing.html C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Algorithms.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Threading.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\sequencenumber.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\commonlogicloader.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Globalization.Extensions.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\telemetry.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-es-ES.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-it-IT.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-sk-SK.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\dailypingmetriccounter.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\mc.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-uninstall-icon.png C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\settings-close.png C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File opened for modification C:\Program Files\McAfee\Webadvisor\Analytics\transmitter_template.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pt-BR.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-sstoast.css C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ui-sstoast.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\contexthandler.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\Temp1556999025\wa_install_close.png C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\resource.dll C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-nb-NO.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-pscore-toast-cs-CZ.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-FR.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\lastbrowserused.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\browsernavigate.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pl-PL.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\Temp1556999025\jslang\eula-sv-SE.txt C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\x64\downloadscan.dll C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-ko-KR.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-nl-NL.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\proxytypehandler.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\csp_client.js C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsEngine.Updater.dll C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\blockpage.luc C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-nb-NO.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-overlay-pl-PL.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-pl-PL.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-zh-CN.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\servicehost.exe C:\Program Files\McAfee\Temp1556999025\installer.exe N/A
File created C:\Program Files\McAfee\Temp1556999025\jslang\eula-fr-FR.txt C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe N/A
File created C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-el-GR.js C:\Program Files\McAfee\Temp1556999025\installer.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A
Key opened \Registry\Machine\Hardware\Description\System\CentralProcessor C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\McAfee\WebAdvisor\updater.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration" C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\DownloadScan.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\DownloadScan.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable C:\Windows\SYSTEM32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\SYSTEM32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{117151A5-951B-477E-91A4-699C7D9D66A2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\ = "ScannerAPI Class" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{117151A5-951B-477E-91A4-699C7D9D66A2}\ = "ScannerAPI Class" C:\Windows\SYSTEM32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{117151a5-951b-477e-91a4-699c7d9d66a2}\Programmable C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2 C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A
N/A N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\fltmc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SYSTEM32\fltmc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeBackupPrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeRestorePrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\program files\reasonlabs\epp\rsHelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 4080 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 4080 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 1184 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe
PID 1184 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe
PID 1184 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe
PID 1184 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe
PID 1184 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe
PID 1108 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe
PID 1108 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe
PID 1108 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe
PID 3224 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe
PID 3224 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe
PID 3804 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 3804 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 4848 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe
PID 4848 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe
PID 3756 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe C:\Program Files\McAfee\Temp1556999025\installer.exe
PID 3756 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe C:\Program Files\McAfee\Temp1556999025\installer.exe
PID 4668 wrote to memory of 440 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 440 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 440 wrote to memory of 3328 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 440 wrote to memory of 3328 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 440 wrote to memory of 3328 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 7532 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 7532 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 5808 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 5808 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 5808 wrote to memory of 5872 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5808 wrote to memory of 5872 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5808 wrote to memory of 5872 N/A C:\Windows\SYSTEM32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4668 wrote to memory of 3328 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 4668 wrote to memory of 3328 N/A C:\Program Files\McAfee\Temp1556999025\installer.exe C:\Windows\SYSTEM32\regsvr32.exe
PID 5800 wrote to memory of 6572 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 5800 wrote to memory of 6572 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\UIHost.exe
PID 5800 wrote to memory of 6596 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Windows\system32\regsvr32.exe
PID 5800 wrote to memory of 6596 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Windows\system32\regsvr32.exe
PID 3804 wrote to memory of 7236 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\rundll32.exe
PID 3804 wrote to memory of 7236 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\rundll32.exe
PID 5800 wrote to memory of 5568 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\updater.exe
PID 5800 wrote to memory of 5568 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Program Files\McAfee\WebAdvisor\updater.exe
PID 7236 wrote to memory of 6100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 7236 wrote to memory of 6100 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 5800 wrote to memory of 5816 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Windows\system32\cmd.exe
PID 5800 wrote to memory of 5816 N/A C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe C:\Windows\system32\cmd.exe
PID 6100 wrote to memory of 6428 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 6100 wrote to memory of 6428 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 3804 wrote to memory of 6540 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 3804 wrote to memory of 6540 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 3804 wrote to memory of 7056 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\SYSTEM32\fltmc.exe
PID 3804 wrote to memory of 7056 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\SYSTEM32\fltmc.exe
PID 3804 wrote to memory of 7200 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 3804 wrote to memory of 7200 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 3804 wrote to memory of 7360 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsWSC.exe
PID 3804 wrote to memory of 7360 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsWSC.exe
PID 3804 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
PID 3804 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
PID 3804 wrote to memory of 7792 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
PID 3804 wrote to memory of 7792 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
PID 3804 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
PID 3804 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
PID 7376 wrote to memory of 6944 N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe \??\c:\program files\reasonlabs\epp\rsHelper.exe
PID 7376 wrote to memory of 6944 N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe \??\c:\program files\reasonlabs\epp\rsHelper.exe
PID 7376 wrote to memory of 3596 N/A C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe \??\c:\program files\reasonlabs\EPP\ui\EPP.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe

"C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp" /SL5="$C0172,837551,832512,C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe

"C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe" -ip:"dui=715f25e7-2a26-430a-b7ed-e78cc8643f38&dit=20240624175010&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe

"C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB

C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe

"C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe" /silent

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe

.\UnifiedStub-installer.exe /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe

"C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Program Files\McAfee\Temp1556999025\installer.exe

"C:\Program Files\McAfee\Temp1556999025\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1184 -ip 1184

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 924

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 924

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe

"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"

C:\Windows\SYSTEM32\regsvr32.exe

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Program Files\McAfee\WebAdvisor\UIHost.exe

"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe /S "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Program Files\McAfee\WebAdvisor\updater.exe

"C:\Program Files\McAfee\WebAdvisor\updater.exe"

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe

"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i -i

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe

"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"

\??\c:\program files\reasonlabs\epp\rsHelper.exe

"c:\program files\reasonlabs\epp\rsHelper.exe"

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe

"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2216 --field-trial-handle=2220,i,6876852814135468676,12682958247538623469,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2628 --field-trial-handle=2220,i,6876852814135468676,12682958247538623469,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2792 --field-trial-handle=2220,i,6876852814135468676,12682958247538623469,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3952 --field-trial-handle=2220,i,6876852814135468676,12682958247538623469,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4360 --field-trial-handle=2220,i,6876852814135468676,12682958247538623469,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1

C:\program files\reasonlabs\epp\rsLitmus.A.exe

"C:\program files\reasonlabs\epp\rsLitmus.A.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 d2dbdb0phbn9qb.cloudfront.net udp
DE 18.66.121.161:443 d2dbdb0phbn9qb.cloudfront.net tcp
DE 18.66.121.161:443 d2dbdb0phbn9qb.cloudfront.net tcp
US 8.8.8.8:53 images.sftcdn.net udp
US 23.219.230.135:443 images.sftcdn.net tcp
US 8.8.8.8:53 161.121.66.18.in-addr.arpa udp
US 8.8.8.8:53 135.230.219.23.in-addr.arpa udp
US 8.8.8.8:53 gsf-fl.softonic.com udp
US 199.232.194.133:443 gsf-fl.softonic.com tcp
US 8.8.8.8:53 shield.reasonsecurity.com udp
US 18.172.112.11:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 133.194.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.112.172.18.in-addr.arpa udp
US 18.172.112.11:443 shield.reasonsecurity.com tcp
US 8.8.8.8:53 analytics.apis.mcafee.com udp
US 52.35.147.103:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
US 8.8.8.8:53 track.analytics-data.io udp
US 8.8.8.8:53 103.147.35.52.in-addr.arpa udp
US 2.20.12.102:443 sadownload.mcafee.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 102.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 143.152.214.3.in-addr.arpa udp
US 8.8.8.8:53 update.reasonsecurity.com udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 13.224.189.61:443 update.reasonsecurity.com tcp
US 8.8.8.8:53 61.189.224.13.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 electron-shell.reasonsecurity.com udp
DE 18.66.102.87:443 electron-shell.reasonsecurity.com tcp
US 8.8.8.8:53 87.102.66.18.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 2.20.12.102:443 sadownload.mcafee.com tcp
US 8.8.8.8:53 home.mcafee.com udp
US 52.35.147.103:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
BE 104.68.84.174:443 home.mcafee.com tcp
US 8.8.8.8:53 174.84.68.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
DE 52.222.214.107:443 cdn.reasonsecurity.com tcp
US 8.8.8.8:53 107.214.222.52.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 52.35.147.103:443 analytics.apis.mcafee.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.21.189.233:80 www.microsoft.com tcp
US 8.8.8.8:53 233.189.21.2.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 sadownload.mcafee.com udp
US 2.20.12.102:443 sadownload.mcafee.com tcp
GB 2.21.189.233:80 www.microsoft.com tcp
US 8.8.8.8:53 config.reasonsecurity.com udp
DE 13.32.99.108:443 config.reasonsecurity.com tcp
US 8.8.8.8:53 108.99.32.13.in-addr.arpa udp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 mc6.reasonsecurity.com udp
US 52.43.110.0:443 mc6.reasonsecurity.com tcp
US 8.8.8.8:53 0.110.43.52.in-addr.arpa udp
DE 52.222.214.107:443 cdn.reasonsecurity.com tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
DE 52.222.214.2:443 cdn.reasonsecurity.com tcp
DE 52.222.214.2:443 cdn.reasonsecurity.com tcp
US 8.8.8.8:53 2.214.222.52.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 235.1.22.104.in-addr.arpa udp
US 8.8.8.8:53 track.analytics-data.io udp
US 44.206.171.65:443 track.analytics-data.io tcp
US 8.8.8.8:53 65.171.206.44.in-addr.arpa udp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 44.206.171.65:443 track.analytics-data.io tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 edr-api.reasonlabsapi.com udp
DE 108.138.26.47:443 edr-api.reasonlabsapi.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 47.26.138.108.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/4080-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4080-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SQFQ5.tmp\fasttracker-6.2-installer_1wy-uW1.tmp

MD5 4c1e527a47de5b237d85f519b6748983
SHA1 0a713b5db112cd59d5e63636bbcdf4aeede6d9bb
SHA256 982523e61fa4bfa26ca4fb08e797fbe2b30e5c44edf2c5d9df64bf08ed88a37a
SHA512 161d392221d74331b461e39d981af79ff554733bfee086ae5feef1ecd79633dd25a4b107c16262718b665b225c57316876c7cc77238048544718c9d6f620d51f

memory/1184-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\mainlogo.jpg

MD5 95b6b60effa572b1486e71907a11278b
SHA1 25952d54f4b515bfcd981b9d78ce466442345e1d
SHA256 262bd6a50d8d2be0c6412e0dc51620d1e90c72d9ad381d41456e59fbb9001fd8
SHA512 13f663fc4177697b3d74567a4f203fd47bc9d3fed41405e37280670f35bca389cc7864e039ba8a34719909735a088dd8b2a6b114285a224230b65e487cdb509a

memory/1184-19-0x00000000034D0000-0x0000000003610000-memory.dmp

memory/1184-20-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\RAV_Cross.png

MD5 4167c79312b27c8002cbeea023fe8cb5
SHA1 fda8a34c9eba906993a336d01557801a68ac6681
SHA256 c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8
SHA512 4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

memory/1184-24-0x00000000034D0000-0x0000000003610000-memory.dmp

memory/1184-25-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\WebAdvisor.png

MD5 5fd73821f3f097d177009d88dfd33605
SHA1 1bacbbfe59727fa26ffa261fb8002f4b70a7e653
SHA256 a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba
SHA512 1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

memory/1184-29-0x00000000034D0000-0x0000000003610000-memory.dmp

memory/4080-30-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1184-32-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component0.exe

MD5 639a0e1cd3ca0d6ecad5a318a3f912a6
SHA1 6cfe1634d31f1bf27e10ac4bf51d1c2c72413a14
SHA256 2e56c537b281a2f47b7df465729b47d81e95ee7819145d93ddf89c24df773ff3
SHA512 40ac2b81c28358668b5b5269da949d76cf35d82d0c48d66e2b0e4dc1fe0d958b958a0e48a01e0216a637130c17e081aedbe95ee8f95473102505a9aa8ecff1e7

memory/1108-51-0x000001AD120C0000-0x000001AD120C8000-memory.dmp

memory/1108-52-0x00007FFA4C103000-0x00007FFA4C105000-memory.dmp

memory/1108-53-0x000001AD2C9F0000-0x000001AD2CF18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1.zip

MD5 f68008b70822bd28c82d13a289deb418
SHA1 06abbe109ba6dfd4153d76cd65bfffae129c41d8
SHA256 cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589
SHA512 fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

memory/1108-71-0x00007FFA4C100000-0x00007FFA4CBC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\saBSI.exe

MD5 143255618462a577de27286a272584e1
SHA1 efc032a6822bc57bcd0c9662a6a062be45f11acb
SHA256 f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4
SHA512 c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

C:\Users\Admin\Downloads\fasttracker-6.2-installer.exe

MD5 d630ca803a0c67a86e2e507e039c83c0
SHA1 d09d1413eb10922c78053055c6831c339889f403
SHA256 6e0b53904ddce7f3e73371bbcf014983f9d4d2c688af191fd22d03faba3e1a61
SHA512 8b23e6149e9e069c8c349ec77bba692cd83b37c0066492e04641776f956f32ad6641ed070901e92392ef6831fc7677a814e5de114297049406ddabb546c160fd

memory/1184-97-0x00000000034D0000-0x0000000003610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a0zvdtaz.exe

MD5 32c293b5c2aa08af68145558a38c0ea0
SHA1 638c5c558e7d65b82a857ebb264e3573f12cb6ca
SHA256 09baa819c87170cdcda9f7ea22ff33560b9407510cef3f0ffc3081e0d6879218
SHA512 1e09cef82d7aabe8b9c22821833138175319be91d93cca7e8edbc59c542264e90c435f3e162890633f9ffd2c3c17359b866890860016e993a0be440abe325753

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\UnifiedStub-installer.exe

MD5 c7fe1eb6a82b9ffaaf8dca0d86def7ca
SHA1 3cd3d6592bbe9c06d51589e483cce814bab095ee
SHA256 61d225eefb7d7af3519a7e251217a7f803a07a6ddf42c278417c140b15d04b0b
SHA512 348a48b41c2978e48ddbeb8b46ad63ef7dde805a5998f1730594899792462762a9eee6e4fe474389923d6b995eca6518c58563f9d1765087b7ac05ce2d91c096

memory/3804-222-0x000001B480170000-0x000001B480280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\rsStubLib.dll

MD5 fa4e3d9b299da1abc5f33f1fb00bfa4f
SHA1 9919b46034b9eff849af8b34bc48aa39fb5b6386
SHA256 9631939542e366730a9284a63f1d0d5459c77ec0b3d94de41196f719fc642a96
SHA512 d21cf55d6b537ef9882eacd737e153812c0990e6bdea44f5352dfe0b1320e530f89f150662e88db63bedf7f691a11d89f432a3c32c8a14d1eb5fc99387420680

memory/3804-224-0x000001B49A6A0000-0x000001B49A6E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\rsLogger.dll

MD5 f55948a2538a1ab3f6edfeefba1a68ad
SHA1 a0f4827983f1bf05da9825007b922c9f4d0b2920
SHA256 de487eda80e7f3bce9cd553bc2a766985e169c3a2cae9e31730644b8a2a4ad26
SHA512 e9b52a9f90baecb922c23df9c6925b231827b8a953479e13f098d5e2c0dabd67263eeeced9a304a80b597010b863055f16196e0923922fef2a63eb000cff04c9

memory/3804-226-0x000001B480660000-0x000001B480690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\rsJSON.dll

MD5 927934736c03a05209cb3dcc575daf6a
SHA1 a95562897311122bb451791d6e4749bf49d8275f
SHA256 589c228e22dab9b848a9bd91292394e3bef327d16b4c8fdd1cc37133eb7d2da7
SHA512 12d4a116aee39eb53a6be1078d4f56f0ebd9d88b8777c7bd5c0a549ab5cff1db7f963914552ef0a68ff1096b1e1dc0f378f2d7e03ff97d2850ca6b766c4d6683

memory/3804-228-0x000001B49A6F0000-0x000001B49A72A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\rsAtom.dll

MD5 f5cf4f3e8deddc2bf3967b6bff3e4499
SHA1 0b236042602a645c5068f44f8fcbcc000c673bfe
SHA256 9d31024a76dcad5e2b39810dff530450ee5a1b3ecbc08c72523e6e7ea7365a0b
SHA512 48905a9ff4a2ec31a605030485925a8048e7b79ad3319391bc248f8f022813801d82eb2ff9900ebcb82812f16d89fdff767efa3d087303df07c6c66d2dcb2473

memory/3804-230-0x000001B49A7A0000-0x000001B49A7CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\Microsoft.Win32.TaskScheduler.dll

MD5 87d7fb0770406bc9b4dc292fa9e1e116
SHA1 6c2d9d5e290df29cf4d95a4564da541489a92511
SHA256 aaeb1eacbdaeb5425fd4b5c28ce2fd3714f065756664fa9f812afdc367fbbb46
SHA512 25f7c875899c1f0b67f1ecee82fe436b54c9a615f3e26a6bec6233eb37f27ca09ae5ce7cf3df9c3902207e1d5ddd394be21a7b20608adb0f730128be978bec9b

memory/3804-235-0x000001B49B1A0000-0x000001B49B1F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\uninstall-epp.exe

MD5 8157d03d4cd74d7df9f49555a04f4272
SHA1 eae3dad1a3794c884fae0d92b101f55393153f4e
SHA256 cdf775b4d83864b071dbcfeed6d5da930a9f065919d195bb801b6ffaf9645b74
SHA512 64a764068810a49a8d3191bc534cd6d7031e636ae306d2204af478b35d102012d8c7e502ed31af88280689012dc8e6afd3f7b2a1fe1e25da6142388713b67fa7

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\rsSyncSvc.exe

MD5 cc7167823d2d6d25e121fc437ae6a596
SHA1 559c334cd3986879947653b7b37e139e0c3c6262
SHA256 6138d9ea038014b293dac1c8fde8c0d051c0435c72cd6e7df08b2f095b27d916
SHA512 d4945c528e4687af03b40c27f29b3cbf1a8d1daf0ee7de10cd0cb19288b7bc47fae979e1462b3fa03692bf67da51ab6fa562eb0e30b73e55828f3735bbfffa48

memory/1184-251-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8NFNN.tmp\component1_extract\installer.exe

MD5 cbdc702ec44e244b2cb764ec3a82efcc
SHA1 3ac7e0652509171d905f06423c979a5c0d16ba1e
SHA256 2f97de96c50d73bcdcbff95fed75b2763207c8fc144d6367d2ec954c1e966b8b
SHA512 8ef13a28201c448215fc241cda74bb032c4a0c29a777de6aed32eeee8a5c428f3899a42ec74a408faee6535d08f7796d216c0bb1454fa2a67480c6a4e6ace9c6

C:\Program Files\McAfee\Temp1556999025\installer.exe

MD5 7cdab43bc1b360d42a143943c700bbae
SHA1 9210afd1e6616bfdd20dd71c7379d1cadfeab966
SHA256 580a2098951e804ad5cb726fbc0e78ed09464910769fa277330a3f78c0703a51
SHA512 ed28a4eec8e35aa0786f960e87079929b9fcb154b3b184f4051178a42d678eac438914f3144b9a1ff4e0c0a7a74171b594eb1ddf5d8180708677cbb7444486cb

C:\Users\Admin\AppData\Local\Temp\mwa9BE2.tmp

MD5 662de59677aecac08c7f75f978c399da
SHA1 1f85d6be1fa846e4bc90f7a29540466cf3422d24
SHA256 1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb
SHA512 e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

C:\Program Files\McAfee\Temp1556999025\analyticsmanager.cab

MD5 c60ce68c2ab0f0a472f4c4d04a8d54ae
SHA1 0e56defd42bf0b3ee29432e3cdc3fbbdb9d27dfe
SHA256 c5941c0d7db0b94fd30034d13ec69e9ece6133b43481d99f8d1c36236f363515
SHA512 733a9b9805e0c255f858d1052af5d75c54a004756e10e351f2ac2983fd1502a71e06daf947e17c49eb3784d01dfabf0d8b6008c56b0ed8ac74c928cd35ab3441

C:\Program Files\McAfee\Temp1556999025\analyticstelemetry.cab

MD5 25ada6efda1551f01db355065e53faae
SHA1 6e822cefc2dc0177ea9ad002958c218b0fae52bc
SHA256 2dfb8800d7d6e2ca15d4b6124e1bc1ffef6d17fd5d355a4fab29c68291645f96
SHA512 38a5fb07f63d49db0afbf67935e0afd5e1fc2097511cc048789a07546980d296a979febce125dee61770ed69ad749fcc814dbd47184655d7e314f4c43d541bd5

C:\Program Files\McAfee\Temp1556999025\browserhost.cab

MD5 f2d4152850d4e2ceb0f318f2f11cf021
SHA1 004dc3db926cff0345d91a3fdd3bd241b9ddd0f6
SHA256 f1933558644045dbc893cef9a23d735b5a45ae7350696c1da9faab616638f56d
SHA512 f7692e406698ab617e859df616621b03f4227b0c43b41ac984e4302021f275fddc650d640d8864fe05b0886b742d4beddbdbfeabe62d4a22de8ef7f2f7264041

memory/4668-429-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-428-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-427-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-426-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\browserplugin.cab

MD5 5b946a56491375ea87a336d07c648ab9
SHA1 f9c5cca74f03936d172ae8d8e7c532c95ee8be10
SHA256 a459c1c14309214cc705871932f6aff9b95df2c95024a8ec6caeae18ced49c29
SHA512 0e3d09a425827d7e1c88b63c9bd7614751e9445daab2118aceedd9ab0dc2493e0167180cb01d295b446954bc77ca926d144f958578fea77aeff4e8d54c1dcf98

memory/4668-431-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\eventmanager.cab

MD5 570b642237d02474854bcf1dcb17b762
SHA1 12a7b4306775a555cb9a6135cbe5a9a3dba9ff4c
SHA256 fa8e179685aeff6cbe9578ae2f3e34a5bcb045b5697d5b7e3416ec2ef8a25881
SHA512 e98cc2b45caae213acd3062f3c8b1b82a71cc124a8910f2ab6a463a2628d832d9dca17e6f2e5f933287c668538d70486635f3d7efec093889ea107c20fd0a919

memory/4668-434-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\downloadscan.cab

MD5 5eaf2b2662a9926d835fcd1e0016facf
SHA1 0d9ca8500393479fa954d0519ac39aedd07fda32
SHA256 70d1d190ddc32a61576bf2454fdf066348d3076c1a83918bc76e90224f68ba02
SHA512 873a5b7c0da923aa79f8733a9e42600a6d794f536edde8c3bfc8da19f853cfcb879d88529a43b96b8ef1d9c94f051564f783c00b4c24ceccd39a6850289ec399

C:\Program Files\McAfee\Temp1556999025\l10n.cab

MD5 9064bf5ea7cb9acd2a4b5efb0dd90a2a
SHA1 a142a9281c3ddac96186b1b7c7a1ff6ba0ef3dda
SHA256 8a2aa601fa77e3587e153840c1896028422335e9b3b2fd00fdc462f677e0c687
SHA512 362bf6865c0586e8001566fc5cfde2decefd24fccbe93339090d9f816ab4203b4476bfb378ebd69b25c2bd8bb5b7c1ca7aa4cbb284888b43e37d4adf86fffbc3

C:\Program Files\McAfee\Temp1556999025\logicmodule.cab

MD5 59f879d459c452486543ff8f84981710
SHA1 4f56f3a41be2a44adb5ad0e4a01fd9b808df49c0
SHA256 73c5bf76c7f680b0f28b969a9748a3cd7923e1f84eb00484ea5929276e839f8c
SHA512 f9b9d614f4f5692a0c024ccf3b79fd21e2f9d7e6dc951da01c6745d57322b0f2f5e33efcad6e222eef2244a5312b8faee300e73d3855bb78e2217fe850341477

C:\Program Files\McAfee\Temp1556999025\lookupmanager.cab

MD5 182315f2c8bbf146aae9706d3720f492
SHA1 cf1c2e2982f97d9e2d8fc1f285d56dd3f485e954
SHA256 173c4f5b70453c0fd1c175841418d4cad4d669f373f99bbdce1fdc1440ba2bdb
SHA512 7f378afe22bb4a2330d6704f253ab4da2d3f571a719e672dea7e0d88b644a895cb883c5154b0bbc40e302b3d8d7307dff0ef9fe2c7dc79c2ba963a2932d37718

C:\Program Files\McAfee\Temp1556999025\mfw.cab

MD5 a47358e143069bf156ff5d0196743453
SHA1 9ee25fdb797e5663e2285a405dea937e6314e20b
SHA256 299e548ac813083d8d0da9d01d93eb15f2c56a378e960b193dd53d05e2dc0357
SHA512 2d7213b6274377a9b73f10ac830381824e9655871b3baef0a053e58d2fd7dc0803861655349f75f76884cb4f457b11ff465bf1ee9edee121ba4e908fbb4a2bea

C:\Program Files\McAfee\Temp1556999025\settingmanager.cab

MD5 f4f68e7c5316e9e9cf76ce7b9b0867cb
SHA1 634e06d92c94dbf65f5f26e06d1545ea4efd3d0a
SHA256 f976526198d9118096957713437b5270659f09a8d287ea083cc507f11ca90481
SHA512 22b48d6e66d6213621abcb0980561905b1a7ce9fd7bcdf1e071a1385a5837614031d6ea7f273ccc30362c6d12877b21a60e6dec51f7325728c2f58729faca1ce

C:\Program Files\McAfee\Temp1556999025\taskmanager.cab

MD5 cd4b69e388f6b680a0d04a5940eb36cf
SHA1 9c152ce13aed8f9445d5914a073c93acaceb8c80
SHA256 6830cc14efd636047f7a1301c8d6bcab6d9eb683a5d502e5cd191de27e77e8d5
SHA512 e0f76bbf3d4f77a87c6dd736b428c7619eaee0917917df3670ab9d500a0071d3f3619f0c8c28fd8f671bd4cfba4ac8bfcbe387479261ff9d7bc3e044cc4b6220

C:\Program Files\McAfee\Temp1556999025\telemetry.cab

MD5 dcc3f40c89f258943b3f26e425bc63d3
SHA1 ad555e3a3eb1cc793e7433a59f4654f8b59998e4
SHA256 35ee6e6f96ee2cc217cd5f9651b46675b8daffa61611619ba5dcbc8a4b2310d7
SHA512 289326921d13a9d0b541227906cc3398d0ec25d1965d17bea23935d5e7a3e154a461765637d9ebc5d5c243aba76acefc4a578c8cb51597521869394a28e35440

C:\Program Files\McAfee\Temp1556999025\uninstaller.cab

MD5 58e66a3132b71966d526408bf053aea6
SHA1 c8a889894109d4ba27fc9de537a9186d8cb551b1
SHA256 492aa5a00eeead55003a75d941a0d8a692d4492157d118b9d5f278c21346a2ad
SHA512 e75fc150bb8d2c17c781f44333c83dc20b3b128c6e31b4093bca4aa178d3d145fbc734e35b8e5fd384ea5290226e00f53ca3ea32a6aabf95bd32ae6ba7f3d751

C:\Program Files\McAfee\Temp1556999025\wataskmanager.cab

MD5 83fdfd5906b8f776f556a7cd4b0cfc79
SHA1 09696e7177a338c841ef15b3aabd398c37c171c5
SHA256 e0932739847297b5748e85a61e48c0a94467f9f05f4ea77603ade094d188a5fe
SHA512 aec2e035ce9b8208357c921a20f98927733991c26780b53897a17b63fc496f4b5b0b8db7142ea8905c72129f33555697269f46e86b086172ab3854ee3077bc68

memory/4668-483-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-511-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-691-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll

MD5 f7b6141a80401b7d4c405f2253ce3aa2
SHA1 b6b61e24cef962569c6c528ec75c11796300345d
SHA256 ffe92952600acb50f4b2bb89b5648ff370078561209536b7e4aa86e93ace8111
SHA512 a69566a1b48daca191e6ee2cc41cd1a5ebcba925ae8139f75f8d9e290a604c17af42c069054b4bb467f1ca802cd93a42fc3d07174bad9745373eb499fa3eedc7

memory/1184-1369-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files\McAfee\WebAdvisor\win32\wssdep.dll

MD5 1808c799122958a5b478e4abdddcb838
SHA1 2ec4421167ae928a7eaf6100395613e1d7563a01
SHA256 eb799222e804a3c43b6ebf8df37e98a21409a9db21f628871a8666271c9f3677
SHA512 bfc21270b2b3dcd12a7dc7a4d004a4b9b35d96d9510b6501db40c316104e62aa04492f4d98a2ce3dd120abacf6b87a61b86e7f1940d69a9f22b09cf999cc4e59

memory/4668-690-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-688-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-686-0x00007FF748980000-0x00007FF748990000-memory.dmp

memory/4668-681-0x00007FF748980000-0x00007FF748990000-memory.dmp

memory/4668-673-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-652-0x00007FF748980000-0x00007FF748990000-memory.dmp

memory/4668-650-0x00007FF748980000-0x00007FF748990000-memory.dmp

memory/4668-636-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-632-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-627-0x00007FF748980000-0x00007FF748990000-memory.dmp

memory/4668-608-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-606-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-604-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-599-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-592-0x00007FF728F20000-0x00007FF728F30000-memory.dmp

memory/4668-562-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-560-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-552-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-550-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-544-0x00007FF747250000-0x00007FF747260000-memory.dmp

memory/4668-521-0x00007FF73A320000-0x00007FF73A330000-memory.dmp

memory/4668-492-0x00007FF734DC0000-0x00007FF734DD0000-memory.dmp

memory/4668-484-0x00007FF7401A0000-0x00007FF7401B0000-memory.dmp

memory/4668-482-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-481-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-480-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-479-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-478-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-477-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-476-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-475-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-474-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-473-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-472-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-471-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-470-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\wssdep.cab

MD5 2b87c7525f87ea3d4f18b17375bd03fe
SHA1 f1ab1cc42f22053d8851ff1c0a40ac914d38706e
SHA256 103a3ce8057afa38a649df47bb459026da92ea21b39ee31fd14695d25915f184
SHA512 f9394679e6c716bf118b80f82cde4895c52f4b48dca91fa2c7bfe14aab4c9393038925e6f62ffd352c1276d3360e4b8c9fdb928d7854d3178e6bcb1123e34294

C:\Program Files\McAfee\Temp1556999025\webadvisor.cab

MD5 72be294cc14fdd5572b7a6e4b8c96291
SHA1 788f89db5cf5f6d37a3c8c527ceabdea207c51ea
SHA256 d5630c05cb77c9c615e955235806c71ad6656d95b6fb07369fc1e52fd4c755f7
SHA512 30c7d73e744fccbb9bcdcef22dba031546745e12a30b60ccea1bc700edf8893f5404510b80eaacf6d962cb629bea13cdf728ea2c17bf5cbb7823f8ee90e400ee

C:\Program Files\McAfee\Temp1556999025\updater.cab

MD5 270ce6ac663a87823b1c7a1d6a873f39
SHA1 078e465b4ffc3bf6e31783ed0eea0cf3bb7a5903
SHA256 6db54fab1cc49e2fb6a149185e06cf501a65e53383af312af45f03a3fbf70988
SHA512 0a2b0daa7df69abca23de43755355f70772433f77b02a335701c41e0da57c01292ae0004ff438054eb89ff77826cfb375505e07d6ca2495bc922b6876c7c6eeb

C:\Program Files\McAfee\Temp1556999025\uimanager.cab

MD5 359da3a49e3ef9174ed856351359cca1
SHA1 2e9358a989446983d1f9b57916d11ee8215c2117
SHA256 d15efe76438d6baf5adcebda27ec122d84a7140b50b098455441a1cc25c37aff
SHA512 7b0807d6cc145c77f3b9765ab8c6347d0830acfb25ccdca8217f71c0fd5b5f67334b4223e777135c414a710e0be6d76b08e048716633dddc8a285e7ef0ba59f7

C:\Program Files\McAfee\Temp1556999025\uihost.cab

MD5 98a08e9dc50955d9ea25c43703e02c30
SHA1 4753d84de777b7ebeda8496fc4c3e3f464464604
SHA256 a603254dfbd9dff3e08b61dc4656ce44f567468c7f2a12171788db8088e694f9
SHA512 a0038d1d6029c996ec60d4ceacd290b040d36659c670fa622fbc3d92650b66e3caeea9aa335ebb9cfc8daa927a0d21be4bb8ba49c6ddb94d784c377bdc98874d

memory/4668-457-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-455-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-453-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\servicehost.cab

MD5 33ee0d702b93bb125fc9b0ac7338dd65
SHA1 d9933eef5c69162c39eee600d907bc5fb5b9c243
SHA256 39ff5b0efef548d16ca7f8e5bc64a10c9fe0b2687042acb8a81063fa4114f24a
SHA512 494abfee3e92a1934fbf87de9c38a474bc80ab5374094cb616699a3c9fde0a54556952a56062c12fad3a592e718e53d454b7da04e466f2a1de6ebf5fd28074fb

C:\Program Files\McAfee\Temp1556999025\resourcedll.cab

MD5 701d3416051f03ece40b51d97482642d
SHA1 9e484b8dd494dec3ea07ec5e210d5a22ac8d50c6
SHA256 0822181f90d70c0172d715e45c3fc277604d0035947b72be10fefdd33d5b2eb3
SHA512 65d5e901c3fd0abcf1ba4919e7d7cf95dad98920789284278ae48cac23bb6776552b625ff5da448d6c024db80b11437bc61385ebbc618a9eb765b5ea36dd737e

memory/4668-448-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\mfw-webadvisor.cab

MD5 2dd394a5a4385ebb09c3cd47be84c0a4
SHA1 d9ca7feb947776ca5fb6f2260fe29de763c2216b
SHA256 3c09814cf00e096773875e1d2d402bb35412ab0e62a3a24006b1757552fbddf0
SHA512 9dc5f1a3436aa58558ae031e5bd5fd0f443f416923425a9e4bcbb22a509ef81da603310c9f962f6a3e8465feb95797a3c3df81086f617d7e8e4f1d8bc7ba2e43

memory/4668-446-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-445-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\mfw-nps.cab

MD5 f8b177c8ca906c97c8ac9999ad9366ab
SHA1 ac1227646dc1df0bfedc430abb8bcdb6d5cfb066
SHA256 427a030c28264bcf224703b7ae439a405be762c797aaf988342b2409a5c3bf40
SHA512 af105f43d497f63b28792a0fa23f630267bb671dbc814f6b82815c58458a281251a7948b871d4ad3b8cc5b2501cd28653427b6e954d3a1d0d2138f98d57e59fa

C:\Program Files\McAfee\Temp1556999025\mfw-mwb.cab

MD5 4574be184f0eb83b10106c7cb4789bab
SHA1 ef7eccd4a3c89a598b0ca421a255f25b74c1c909
SHA256 a2de49125043942f1e7611b670a5316bfa4cc6e29cd84de0371f822fb88b976f
SHA512 995c6dabd71cbb928a29733cdc367fcfc5aaa6b613b9e6fc2269a8e46bfdca70418e8d3f41987bedfee1f002cffb3833dc726beafa995f809aa4764a80d53e1c

memory/4668-441-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Program Files\McAfee\Temp1556999025\logicscripts.cab

MD5 f3d9744bc01d08dc8981b0d2bc054fff
SHA1 e3bcbd89982144ececf7ec07f41551f982da5966
SHA256 f23c6a8782ea8da307ca628dc9f8c4551808d0c59317ee966b190b7462719ad1
SHA512 22e5d3b28ee18965b0eab4c2474e33caab52311dc53639b528b2ac7b7ffcfa259222615471fc3e5c432f9f00fb1c899ec96dcbc9127dfa20b4a95bb9e9e71d82

memory/4668-438-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

memory/4668-437-0x00007FF773CC0000-0x00007FF773CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\ArchiveUtilityx64.dll

MD5 c70238bd9fb1a0b38f50a30be7623eb7
SHA1 17b1452d783ed9fae8ff00f1290498c397810d45
SHA256 88fb2446d4eac42a41036354006afadfca5acd38a0811110f7337dc5ec434884
SHA512 dd77e5c5cf0bf76ba480eb4682c965d0030171a7b7a165a6d1c3ba49895bc13388d17ddbb0fe3ac5d47b3d7d8110942c0d5b40e2fe3df0a022e051696ec4feb6

C:\Program Files\McAfee\WebAdvisor\servicehost.exe

MD5 76027a5320029c3c9142b2a161d15db6
SHA1 28fd700106515c05dd201c92d2adcd4197552369
SHA256 1e884f809c1694dda2b8f72821150551d081df986390407ad3e5dfee0aeb9bc2
SHA512 9843daa1c4803a04c10d95464cecfab12247117ef320596df356395ab7002f9a3b7dbffd5c312d737fdb816a65c95ffbff854c6c71eb878d91c85515315c2003

C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll

MD5 b0ae5ded4622cdbbe31ca82523ba7485
SHA1 926200c448534756f8f23fb76f92a2f8d3bbbb72
SHA256 bfc67e45e5649303a955aa52cf7cd77a858664331522d8985c9bf29a7b87c2cf
SHA512 53b91159bd53705ff1745b76242d0f675e89119954ee32886b60ce9759d6b335823c916d321aea49f62591e975a1770862d2c0fdfbaa467c723af3b69da14ec9

C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

MD5 02c54ec347d843f0a1955f2e6f357ed6
SHA1 db990e68fce21c96f08c963c471dbd5caabafd26
SHA256 e2bcdb6f727696b41a61caf8ab57c70f768ffacb1916fc74dd4f3909e5547d29
SHA512 4e044ed0a61f13e02fdfaa33579e1ad9ccbd06154d3bbf50bf14201ca7b8e7c993ab08dadabdc41aec18b643a063f18d29ca64c23242b5ee2de66ec0d636df9b

C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll

MD5 a99aa46a8a120002421eed9e5e516adc
SHA1 62a6e2bac4242103b928a862a77b38cf3f13244b
SHA256 e2c2838adc5164d641d2c9a503c53e285b92837f34649d32a5b86e2f6a231ef5
SHA512 0cb3b809c294cc367bf3584921009d75392a4d0dfa6cb6f95446ff108a716b72e4e22072bb600a3b26e38a25e9bc161efd139f18044a8486257f5d21c798a21c

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 3301e3ff7c2912f6c16caacec0be7e4d
SHA1 74add4e040942b54654eb84ef116b1dfce78ef26
SHA256 565e32999690f70c63729d84990b2bc7d5bd479225780bc1dd4b6cc59143fa4b
SHA512 5ad424e5862915cdc1afa53721a79ce6f068bb725ead303fb33e4a4435cd3404e8f21ecb9efd5f88c029e7c104f5e3e90de076d95093d6c63c6761981359f9fc

C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

MD5 2382bad9d260c17c233bb4b07c154b8e
SHA1 1da4b93570163f8cbb46944f380a39737fb8e39c
SHA256 87ac93611689cda98c54991e03c8b6a0bb7a28dc6a8e32c190f7a145f1cc8dbc
SHA512 f1bac0b23e010612d2c5e4b489bfca19e710f4ced9eba79a3de249f6d314a48bf807bd7fe4b7688850fae05ddb2c3b197d9f565f1de74fc480dcc8193b069859

C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

MD5 d62c864d08f2aa6c26563c212d21bb50
SHA1 ac6b4d69c2a054574a0e0bade498e200ed8cd663
SHA256 9cc5886f54da4671cd296089764f4665566d28668fa7eaba9c7ca78875d34372
SHA512 4044fb52099de83fde9338f73c17aeeba75ba4a403c12a53c47d8fefb303a3a203df928e91a66f2407b05a30979dbd5a3dbf0b5c995bc56754d171fdd87e11f0

C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

MD5 c7ca71a7f472503fd07dd8674e70907a
SHA1 c30ba3338ccc2c5b0eec860f64064dbcb6cf698c
SHA256 70bf1ff3b3d6c8f2b0fd141253569f606aca663a21e80cd479049a7346ec600b
SHA512 11943457887df84fa6dd33e1e90ea5f88c3b938eed668bb70e7502d8017a560cdda79e9602135a3e76d276567808192c34093d07de1dc80e8262a7c931ea5a7a

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 747e9fea893d38221e003fff69ca1581
SHA1 071a0dbf2fca5a685aaa459c364ed1db2113b16d
SHA256 28957f90652e842e5705125b10b56be5b53f818be212e5c2c764fb4491c3227a
SHA512 eda637a69b128c3f46e190945abee5fb632d5460ca482273266138088b2e66ed42c76bade8724eda37389129555c07740c5e58548cb55400218d157e34042d5f

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 eaeca6b0b5d667fb2eb511bc10efd72c
SHA1 65656fb5325d9142e6405bb9cc3bfc0b91fece99
SHA256 f62dfbfd9c53204a6217407279f22bfc55b46258a27cf5198357e5e1cba72a43
SHA512 0e06e8ccfa3e765d8b6f4d1c521b0ae06ff174f3a885e440f99787d5760f8646b130bdb9e9f2f5db5f7281873862e0a874b4b7232095637326b3079a531920e2

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 1c54a439d22e2dd58798712bdd1f2997
SHA1 33e4ab63aafa949c9bd9f1c4cd8c9381b4a97c64
SHA256 c0ce2aafdbf664383f6b6403e0c73a6a311733a1d3180baa4314c31bc2a62980
SHA512 89857fac027a2ad88499fbc8db9e491719814afc1bfdc8fa593a4516573212f86d598878b2757c541a3fe8d469c7c255b7c14bf25069035d269cc93b2bbfa128

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 09cb0f4f077adc38f8af8550eed69319
SHA1 c97cb066a313df0c9384782924c15eb50ad5e1a7
SHA256 af4cc3bfebb4f886c77ae9140c3c47d7274fb720db31f16240f42d79050101dc
SHA512 bca50e8b975789a17faa2114ce2c66955cf7bd0d6cbbefe14e8416031e2f352fce542521bf545d64b270034980fd58a99c5ba690a9cccc018f44c8785b2fd69c

memory/3804-2399-0x000001B49B410000-0x000001B49B466000-memory.dmp

memory/3804-4025-0x000001B49B470000-0x000001B49B4AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\ff13b2fd-567f-4ccd-9a7d-2574f0f8616d\UnifiedStub-installer.exe\assembly\tmp\JVJBOLTX\rsJSON.DLL

MD5 2ec13fba08ff20ac219f762509a766ff
SHA1 7a62fda6e3ca22d1edd181eca1c1a090accd1b28
SHA256 a66998441cf5a6be98d78abe2d2f3121012b7b30a45ffc9111dbd812c9a6d795
SHA512 86f2e480ef397ac48e376115f65c06d9b41e5daae2d98e27480cadb13474d86fa3acea20f9ced640344b3c6d3a5f4bc3072b8b529e55c52ac793da9d2c09dbff

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\ff13b2fd-567f-4ccd-9a7d-2574f0f8616d\UnifiedStub-installer.exe\assembly\dl3\3c3bc133\4fec910b_5fc6da01\rsLogger.DLL

MD5 bdf6337eef10d89ead58c97c4cc86eac
SHA1 d7ec026d4587bce1efd0fbd9d1d0099f6410b8e4
SHA256 247f904657ae110f6158598725de7de006318822e2f4739c6dc3407347a839cf
SHA512 185da0bb41b85192c7e79537d8796a8a56b0314a2f90a6a9f1fb9146bd673050e30315b4a7f1f50d090962fed334a76a49932e392ac44d3857d6997998f9b0cf

memory/3804-4036-0x000001B49B4F0000-0x000001B49B520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\ff13b2fd-567f-4ccd-9a7d-2574f0f8616d\UnifiedStub-installer.exe\assembly\dl3\b8d26b4a\06288d0b_5fc6da01\rsAtom.DLL

MD5 ff00eb531015f056aa090d84c51cbeb5
SHA1 3eefa935448df905cdb9bbc8caf64e681185d638
SHA256 3ad34654b29f9b72c110a1e02f8b49546603a16175bb78e3635ab767dcc4c81c
SHA512 1e2c0bd5650717d3318b06ab22c2371ebbe734fef90b220ecdc14b79caa64022c166c799c7e5657ac0523ec9706424a67237942897feee775df2bdc98640afdb

memory/3804-4048-0x000001B49B4F0000-0x000001B49B51A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89CCC147\ff13b2fd-567f-4ccd-9a7d-2574f0f8616d\UnifiedStub-installer.exe\assembly\dl3\fea8153b\4fec910b_5fc6da01\rsServiceController.DLL

MD5 9da18dc90cdc783e4d0c503949f25375
SHA1 ed0be1a19eb6391abe073901d6b54ef8292418a4
SHA256 4e7c131ee4c738212d3a6944543ae9a12c4edbbc5a892b39dc070292ad9fac47
SHA512 9f151d9d36f88aa01c9161874957ebd0a26735c8cd2eb5e7bd96930aecc6e556af56c644e84910a3e6b8aa644d4d63871f23ffe7fb48e7fd7c23e5bb3d1c0f5f

memory/3804-4059-0x000001B49B630000-0x000001B49B65E000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 7d5bfa735b37c024084376ffc80265ab
SHA1 bc174aed63f19aee2eaa7356e2a87faf7d00834e
SHA256 6bf70561c66fe78df0d7453ce789b0f176a9bc229b2997821a24904c733d1a74
SHA512 5441f765d32da2ba20e9440177619abb91cf7c75d004616cf3103b5b864ab7f012140d7a0d48ffef7998af5b813b15eb6f56778a5c77a7adc5e16a4dbadf9571

C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

memory/7360-4113-0x000002033AA80000-0x000002033AAAE000-memory.dmp

memory/7360-4114-0x000002033AA80000-0x000002033AAAE000-memory.dmp

memory/7360-4127-0x000002033AEA0000-0x000002033AEB2000-memory.dmp

memory/7360-4128-0x0000020354EA0000-0x0000020354EDC000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/7204-4148-0x00000224F4790000-0x00000224F4AF6000-memory.dmp

memory/7204-4151-0x00000224F4450000-0x00000224F4472000-memory.dmp

memory/7204-4150-0x00000224DBC20000-0x00000224DBC3A000-memory.dmp

memory/7204-4149-0x00000224F45C0000-0x00000224F473C000-memory.dmp

memory/7792-4153-0x000001796F860000-0x000001796F8BC000-memory.dmp

memory/7792-4154-0x0000017971580000-0x00000179715A8000-memory.dmp

memory/7792-4155-0x0000017971DF0000-0x0000017971E4A000-memory.dmp

memory/7792-4156-0x000001796F860000-0x000001796F8BC000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

MD5 2afb72ff4eb694325bc55e2b0b2d5592
SHA1 ba1d4f70eaa44ce0e1856b9b43487279286f76c9
SHA256 41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e
SHA512 5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

memory/7792-4166-0x0000017971E50000-0x0000017971E82000-memory.dmp

memory/7792-4167-0x00000179724F0000-0x0000017972B08000-memory.dmp

memory/7792-4201-0x0000017972B10000-0x0000017972D6E000-memory.dmp

memory/7376-4205-0x000002A57FF00000-0x000002A57FF24000-memory.dmp

memory/7376-4206-0x000002A57FF40000-0x000002A57FF70000-memory.dmp

memory/7376-4207-0x000002A580040000-0x000002A580078000-memory.dmp

memory/7376-4208-0x000002A580080000-0x000002A5800B2000-memory.dmp

memory/7376-4209-0x000002A580150000-0x000002A5801D4000-memory.dmp

memory/2344-4330-0x0000019AC3240000-0x0000019AC3268000-memory.dmp

memory/7376-4331-0x000002A5806E0000-0x000002A58073E000-memory.dmp

memory/2344-4333-0x0000019ADD940000-0x0000019ADDAD4000-memory.dmp

memory/7376-4332-0x000002A5800C0000-0x000002A5800F4000-memory.dmp

memory/7376-4336-0x000002A57FF70000-0x000002A57FF98000-memory.dmp

memory/2344-4339-0x0000019AC3240000-0x0000019AC3268000-memory.dmp

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

MD5 1068bade1997666697dc1bd5b3481755
SHA1 4e530b9b09d01240d6800714640f45f8ec87a343
SHA256 3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51
SHA512 35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

MD5 362ce475f5d1e84641bad999c16727a0
SHA1 6b613c73acb58d259c6379bd820cca6f785cc812
SHA256 1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA512 7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

MD5 6895e7ce1a11e92604b53b2f6503564e
SHA1 6a69c00679d2afdaf56fe50d50d6036ccb1e570f
SHA256 3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177
SHA512 314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

memory/7376-4365-0x000002A580100000-0x000002A58012E000-memory.dmp

memory/7376-4366-0x000002A5807A0000-0x000002A5807FE000-memory.dmp

memory/7376-4367-0x000002A500840000-0x000002A500BA9000-memory.dmp

memory/7376-4368-0x000002A500BB0000-0x000002A500BFF000-memory.dmp

memory/5260-4369-0x000001C79A900000-0x000001C79ABF0000-memory.dmp

memory/5260-4370-0x000001C79A2C0000-0x000001C79A2EE000-memory.dmp

memory/7376-4371-0x000002A580E90000-0x000002A581116000-memory.dmp

memory/7376-4390-0x000002A580870000-0x000002A5808D6000-memory.dmp

memory/5260-4409-0x000001C79A330000-0x000001C79A368000-memory.dmp

memory/7376-4411-0x000002A500C50000-0x000002A500C76000-memory.dmp

memory/7376-4410-0x000002A500C90000-0x000002A500CCA000-memory.dmp

memory/7376-4412-0x000002A580740000-0x000002A58076A000-memory.dmp

memory/7376-4413-0x000002A580C00000-0x000002A580C66000-memory.dmp

memory/7376-4418-0x000002A5816D0000-0x000002A581C74000-memory.dmp

memory/5260-4467-0x000001C79A750000-0x000001C79A7AE000-memory.dmp

memory/1108-4468-0x00007FFA4C100000-0x00007FFA4CBC1000-memory.dmp

memory/5260-4469-0x000001C79A830000-0x000001C79A846000-memory.dmp

memory/5260-4470-0x000001C79A8B0000-0x000001C79A8BA000-memory.dmp

memory/5260-4472-0x000001C79C4A0000-0x000001C79C4AA000-memory.dmp

memory/5260-4471-0x000001C79C490000-0x000001C79C498000-memory.dmp

memory/5260-4473-0x000001C79C500000-0x000001C79C550000-memory.dmp

memory/5260-4474-0x000001C79C6D0000-0x000001C79C6F2000-memory.dmp

C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

MD5 11fa8018ede46aae6bc6be4b9063f37b
SHA1 a36cd81e4df15eaa9ee65f9d2e003af2539f6ffc
SHA256 acd9dfc29f180f0b37a3b3b32b469b6c1a8e08b85c302938064616ffb5168f9e
SHA512 2ca83642a693e738ad9995a80b5779fc33e44538e16054c72561c6473e97fad0c4c41c40ab3250d47dbc0729aab7a38af817717234dc25fd26993143b12d492f

memory/7376-4557-0x000002A580930000-0x000002A580972000-memory.dmp

memory/7376-4558-0x000002A5813A0000-0x000002A581620000-memory.dmp

memory/7376-4559-0x000002A580C70000-0x000002A580CA2000-memory.dmp

memory/7376-4561-0x000002A580840000-0x000002A580864000-memory.dmp

memory/7376-4560-0x000002A567E50000-0x000002A567E58000-memory.dmp

memory/7376-4562-0x000002A5808E0000-0x000002A580908000-memory.dmp

memory/7376-4563-0x000002A567E60000-0x000002A567E68000-memory.dmp

memory/7376-4566-0x000002A581F30000-0x000002A5821D6000-memory.dmp

memory/7376-4567-0x000002A580D60000-0x000002A580D86000-memory.dmp

memory/7376-4568-0x000002A580D90000-0x000002A580DBC000-memory.dmp

memory/7376-4569-0x000002A581120000-0x000002A581188000-memory.dmp

memory/7376-4570-0x000002A580DC0000-0x000002A580DEA000-memory.dmp

memory/7376-4571-0x000002A581190000-0x000002A581210000-memory.dmp

memory/7376-4572-0x000002A581210000-0x000002A581286000-memory.dmp

memory/7376-4574-0x000002A5821E0000-0x000002A582356000-memory.dmp

memory/7376-4575-0x000002A580E30000-0x000002A580E62000-memory.dmp

memory/7376-4578-0x000002A5812F0000-0x000002A581344000-memory.dmp

memory/7376-4579-0x000002A580DF0000-0x000002A580E18000-memory.dmp

memory/7376-4580-0x000002A581290000-0x000002A5812BE000-memory.dmp

memory/7376-4583-0x000002A581620000-0x000002A58166E000-memory.dmp

memory/7376-4584-0x000002A581D80000-0x000002A581E80000-memory.dmp

C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

MD5 10a8f2f82452e5aaf2484d7230ec5758
SHA1 1bf814ddace7c3915547c2085f14e361bbd91959
SHA256 97bffb5fc024494f5b4ad1e50fdb8fad37559c05e5d177107895de0a1741b50b
SHA512 6df8953699e8f5ccff900074fd302d5eb7cad9a55d257ac1ef2cb3b60ba1c54afe74aee62dc4b06b3f6edf14617c2d236749357c5e80c5a13d4f9afcb4efa097

C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

MD5 d13bddae18c3ee69e044ccf845e92116
SHA1 31129f1e8074a4259f38641d4f74f02ca980ec60
SHA256 1fac07374505f68520aa60852e3a3a656449fceacb7476df7414c73f394ad9e0
SHA512 70b2b752c2a61dcf52f0aadcd0ab0fdf4d06dc140aee6520a8c9d428379deb9fdcc101140c37029d2bac65a6cfcf5ed4216db45e4a162acbc7c8c8b666cd15dd

C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

MD5 afb68bc4ae0b7040878a0b0c2a5177de
SHA1 ed4cac2f19b504a8fe27ad05805dd03aa552654e
SHA256 76e6f11076cc48eb453abbdbd616c1c46f280d2b4c521c906adf12bb3129067b
SHA512 ebc4c1f2da977d359791859495f9e37b05491e47d39e88a001cb6f2b7b1836b1470b6904c026142c2b1b4fe835560017641d6810a7e8a5c89766e55dd26e8c43

memory/7376-4623-0x000002A582470000-0x000002A58257A000-memory.dmp

memory/6944-4631-0x000001B9D8610000-0x000001B9D8636000-memory.dmp

memory/6944-4632-0x000001B9D8A30000-0x000001B9D8A5C000-memory.dmp

memory/6944-4633-0x000001B9F2AF0000-0x000001B9F2B4C000-memory.dmp

memory/6944-4638-0x000001B9D8A10000-0x000001B9D8A1A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.31.5\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\GPUCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\mc\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

MD5 a926e4102cd31193b6e772791ac90a2e
SHA1 9a7f4a2ba87aeaa68f0f6deab21188c70179048c
SHA256 53ef647a6ab08f36740435a146fb9ea0e70ffc3293a61e85d62b02f6ffd391a6
SHA512 ea4b59d967c860fe85da89f146cbe45a9acca6737b9ea6756fa51c9d2270e30d1f0cf9d248baf5cb6499a96dcb20b6011697444ba0edd9d5ef7d6544fb79ebd5

C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\b75c9a4e-4b12-428d-ab87-89c70f40a8af.tmp

MD5 ab6e2081ead37c6d56982b8ee852b0de
SHA1 5b5752c31b781008eaa67866dcabb6998d9dbfd7
SHA256 7792ce529797b645f6724606c10ef6453c92846b3d9677e69e4b4c5639516143
SHA512 81032f002a9c986d07b48fac22afedd71be6d76bfb93e7384b7910840661bb0f5e91dd58b774d2f2f6f8c0d8a8c758b24ec5b253cf400ae259d27bd54168e970

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 17:50

Reported

2024-06-24 17:51

Platform

win11-20240508-en

Max time kernel

62s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

Signatures

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsCamFilter020502.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsKernelEngine.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Windows\system32\drivers\rsElam.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll.config C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.Extensions.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ru.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsAssistant.exe C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Xml.XPath.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Primitives.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsWSCClient.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Resources.Writer.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsLogger.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Ransomware.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron-core\node_modules\@reasonsoftware\rsbridgenapi\prebuilds\win32-x64\rsBridgeNapi.node C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Security.SecureString.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Overlapped.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.XDocument.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsBridge.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sv.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\tr.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fr.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Contracts.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Registry.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Microphone.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File opened for modification C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\x64\SQLite.Interop.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\bn.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140_1.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Primitives.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XmlDocument.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\ui\app.asar C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\Microsoft.Win32.Primitives.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsWSC.InstallState C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.NonGeneric.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Collections.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.ComponentModel.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libGLESv2.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.Reader.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Timer.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\ui\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Debug.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vulkan-1.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsLitmus.S.exe C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\System.Net.NetworkInformation.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\EPP\rsHelper.exe C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
File created C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\da.pak C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\fltmc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SYSTEM32\fltmc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ReasonLabs\EPP\rsWSC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4500 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 4500 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 4500 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp
PID 4104 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe
PID 4104 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe
PID 3608 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe
PID 3608 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe
PID 3608 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe
PID 5052 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe
PID 5052 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe
PID 4372 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 4372 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
PID 4372 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\rundll32.exe
PID 4372 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\rundll32.exe
PID 3732 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 3732 wrote to memory of 2120 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\runonce.exe
PID 2120 wrote to memory of 756 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 2120 wrote to memory of 756 N/A C:\Windows\system32\runonce.exe C:\Windows\System32\grpconv.exe
PID 4372 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 4372 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 4372 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\SYSTEM32\fltmc.exe
PID 4372 wrote to memory of 5204 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\SYSTEM32\fltmc.exe
PID 4372 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 4372 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Windows\system32\wevtutil.exe
PID 4372 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsWSC.exe
PID 4372 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe C:\Program Files\ReasonLabs\EPP\rsWSC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe

"C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp" /SL5="$80236,837551,832512,C:\Users\Admin\AppData\Local\Temp\fasttracker-6.2-installer_1wy-uW1.exe"

C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe

"C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe" -ip:"dui=15439030-dbba-449d-b460-326ebc585651&dit=20240624175017&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i

C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe

"C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe" /silent

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe

.\UnifiedStub-installer.exe /silent

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml

C:\Windows\SYSTEM32\fltmc.exe

"fltmc.exe" load rsKernelEngine

C:\Windows\system32\wevtutil.exe

"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1468

Network

Country Destination Domain Proto
US 8.8.8.8:53 d2dbdb0phbn9qb.cloudfront.net udp
DE 18.66.121.153:443 d2dbdb0phbn9qb.cloudfront.net tcp
DE 18.66.121.153:443 d2dbdb0phbn9qb.cloudfront.net tcp
US 23.219.230.135:443 images.sftcdn.net tcp
US 8.8.8.8:53 135.230.219.23.in-addr.arpa udp
US 199.232.194.133:443 gsf-fl.softonic.com tcp
US 18.172.112.38:443 shield.reasonsecurity.com tcp
US 18.172.112.38:443 shield.reasonsecurity.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 13.224.189.78:443 update.reasonsecurity.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
DE 18.66.102.10:443 electron-shell.reasonsecurity.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 8.8.8.8:53 cdn.reasonsecurity.com udp
DE 52.222.214.28:443 cdn.reasonsecurity.com tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp
US 3.214.152.143:443 track.analytics-data.io tcp

Files

memory/4500-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4500-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LA4QR.tmp\fasttracker-6.2-installer_1wy-uW1.tmp

MD5 4c1e527a47de5b237d85f519b6748983
SHA1 0a713b5db112cd59d5e63636bbcdf4aeede6d9bb
SHA256 982523e61fa4bfa26ca4fb08e797fbe2b30e5c44edf2c5d9df64bf08ed88a37a
SHA512 161d392221d74331b461e39d981af79ff554733bfee086ae5feef1ecd79633dd25a4b107c16262718b665b225c57316876c7cc77238048544718c9d6f620d51f

memory/4104-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\mainlogo.jpg

MD5 95b6b60effa572b1486e71907a11278b
SHA1 25952d54f4b515bfcd981b9d78ce466442345e1d
SHA256 262bd6a50d8d2be0c6412e0dc51620d1e90c72d9ad381d41456e59fbb9001fd8
SHA512 13f663fc4177697b3d74567a4f203fd47bc9d3fed41405e37280670f35bca389cc7864e039ba8a34719909735a088dd8b2a6b114285a224230b65e487cdb509a

memory/4104-19-0x0000000004330000-0x0000000004470000-memory.dmp

memory/4104-20-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4500-21-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\RAV_Cross.png

MD5 4167c79312b27c8002cbeea023fe8cb5
SHA1 fda8a34c9eba906993a336d01557801a68ac6681
SHA256 c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8
SHA512 4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

memory/4104-26-0x0000000004330000-0x0000000004470000-memory.dmp

memory/4104-27-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\WebAdvisor.png

MD5 5fd73821f3f097d177009d88dfd33605
SHA1 1bacbbfe59727fa26ffa261fb8002f4b70a7e653
SHA256 a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba
SHA512 1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

memory/4104-31-0x0000000004330000-0x0000000004470000-memory.dmp

memory/4104-32-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOT12.tmp\component0.exe

MD5 8e3d737cde4844f38b5e736941d2eaf4
SHA1 dccb1cbebaffc5c13e78c2d89d1c8b43a514a740
SHA256 0f531e875adea8a245a17c0dbcad17e7b713034bac9a82d0f30a581935593746
SHA512 6b386ee9949783ad6b2fbe79e8f7baac62fd67cda9bff15093d88843ab7216cf091831051531ee7dd0c98ea5f76708c514e1fb7a268b5132b973b58c14fdb937

memory/3608-49-0x000001C39DCB0000-0x000001C39DCB8000-memory.dmp

memory/3608-50-0x00007FF864593000-0x00007FF864595000-memory.dmp

memory/3608-51-0x000001C3B86A0000-0x000001C3B8BC8000-memory.dmp

C:\Users\Admin\Downloads\fasttracker-6.2-installer.exe

MD5 d630ca803a0c67a86e2e507e039c83c0
SHA1 d09d1413eb10922c78053055c6831c339889f403
SHA256 6e0b53904ddce7f3e73371bbcf014983f9d4d2c688af191fd22d03faba3e1a61
SHA512 8b23e6149e9e069c8c349ec77bba692cd83b37c0066492e04641776f956f32ad6641ed070901e92392ef6831fc7677a814e5de114297049406ddabb546c160fd

memory/4104-63-0x0000000004330000-0x0000000004470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tn5imf1o.exe

MD5 bc5548e67a82cdb750999c3d063d4447
SHA1 2c75e8df3e99271cc72bbd604fdcf5093e6a4094
SHA256 39e812b4d3b37f017228a9347aba4b13592267f521751d7ac4f6c692f1e9804e
SHA512 930d26dd6caa502b7310accb17fdc16ffcb36b1d49ee624a1802fde50b6e8ef13f3e86ff02af014c2962a4a2e58b74cbb9b8f2471493c45bbc0655d56ba88922

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\UnifiedStub-installer.exe

MD5 c7fe1eb6a82b9ffaaf8dca0d86def7ca
SHA1 3cd3d6592bbe9c06d51589e483cce814bab095ee
SHA256 61d225eefb7d7af3519a7e251217a7f803a07a6ddf42c278417c140b15d04b0b
SHA512 348a48b41c2978e48ddbeb8b46ad63ef7dde805a5998f1730594899792462762a9eee6e4fe474389923d6b995eca6518c58563f9d1765087b7ac05ce2d91c096

memory/4372-188-0x000002319EF90000-0x000002319F0A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsStubLib.dll

MD5 fa4e3d9b299da1abc5f33f1fb00bfa4f
SHA1 9919b46034b9eff849af8b34bc48aa39fb5b6386
SHA256 9631939542e366730a9284a63f1d0d5459c77ec0b3d94de41196f719fc642a96
SHA512 d21cf55d6b537ef9882eacd737e153812c0990e6bdea44f5352dfe0b1320e530f89f150662e88db63bedf7f691a11d89f432a3c32c8a14d1eb5fc99387420680

memory/4372-190-0x00000231A0E20000-0x00000231A0E62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsLogger.dll

MD5 f55948a2538a1ab3f6edfeefba1a68ad
SHA1 a0f4827983f1bf05da9825007b922c9f4d0b2920
SHA256 de487eda80e7f3bce9cd553bc2a766985e169c3a2cae9e31730644b8a2a4ad26
SHA512 e9b52a9f90baecb922c23df9c6925b231827b8a953479e13f098d5e2c0dabd67263eeeced9a304a80b597010b863055f16196e0923922fef2a63eb000cff04c9

memory/4372-192-0x000002319F4F0000-0x000002319F520000-memory.dmp

memory/4372-194-0x00000231BA180000-0x00000231BA1BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsJSON.dll

MD5 927934736c03a05209cb3dcc575daf6a
SHA1 a95562897311122bb451791d6e4749bf49d8275f
SHA256 589c228e22dab9b848a9bd91292394e3bef327d16b4c8fdd1cc37133eb7d2da7
SHA512 12d4a116aee39eb53a6be1078d4f56f0ebd9d88b8777c7bd5c0a549ab5cff1db7f963914552ef0a68ff1096b1e1dc0f378f2d7e03ff97d2850ca6b766c4d6683

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsAtom.dll

MD5 f5cf4f3e8deddc2bf3967b6bff3e4499
SHA1 0b236042602a645c5068f44f8fcbcc000c673bfe
SHA256 9d31024a76dcad5e2b39810dff530450ee5a1b3ecbc08c72523e6e7ea7365a0b
SHA512 48905a9ff4a2ec31a605030485925a8048e7b79ad3319391bc248f8f022813801d82eb2ff9900ebcb82812f16d89fdff767efa3d087303df07c6c66d2dcb2473

memory/4372-196-0x00000231BA140000-0x00000231BA16A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\uninstall-epp.exe

MD5 8157d03d4cd74d7df9f49555a04f4272
SHA1 eae3dad1a3794c884fae0d92b101f55393153f4e
SHA256 cdf775b4d83864b071dbcfeed6d5da930a9f065919d195bb801b6ffaf9645b74
SHA512 64a764068810a49a8d3191bc534cd6d7031e636ae306d2204af478b35d102012d8c7e502ed31af88280689012dc8e6afd3f7b2a1fe1e25da6142388713b67fa7

memory/4372-201-0x00000231BA8E0000-0x00000231BA938000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\Microsoft.Win32.TaskScheduler.dll

MD5 87d7fb0770406bc9b4dc292fa9e1e116
SHA1 6c2d9d5e290df29cf4d95a4564da541489a92511
SHA256 aaeb1eacbdaeb5425fd4b5c28ce2fd3714f065756664fa9f812afdc367fbbb46
SHA512 25f7c875899c1f0b67f1ecee82fe436b54c9a615f3e26a6bec6233eb37f27ca09ae5ce7cf3df9c3902207e1d5ddd394be21a7b20608adb0f730128be978bec9b

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\rsSyncSvc.exe

MD5 cc7167823d2d6d25e121fc437ae6a596
SHA1 559c334cd3986879947653b7b37e139e0c3c6262
SHA256 6138d9ea038014b293dac1c8fde8c0d051c0435c72cd6e7df08b2f095b27d916
SHA512 d4945c528e4687af03b40c27f29b3cbf1a8d1daf0ee7de10cd0cb19288b7bc47fae979e1462b3fa03692bf67da51ab6fa562eb0e30b73e55828f3735bbfffa48

memory/4104-217-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4104-218-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\ArchiveUtilityx64.dll

MD5 c70238bd9fb1a0b38f50a30be7623eb7
SHA1 17b1452d783ed9fae8ff00f1290498c397810d45
SHA256 88fb2446d4eac42a41036354006afadfca5acd38a0811110f7337dc5ec434884
SHA512 dd77e5c5cf0bf76ba480eb4682c965d0030171a7b7a165a6d1c3ba49895bc13388d17ddbb0fe3ac5d47b3d7d8110942c0d5b40e2fe3df0a022e051696ec4feb6

C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

MD5 1c54a439d22e2dd58798712bdd1f2997
SHA1 33e4ab63aafa949c9bd9f1c4cd8c9381b4a97c64
SHA256 c0ce2aafdbf664383f6b6403e0c73a6a311733a1d3180baa4314c31bc2a62980
SHA512 89857fac027a2ad88499fbc8db9e491719814afc1bfdc8fa593a4516573212f86d598878b2757c541a3fe8d469c7c255b7c14bf25069035d269cc93b2bbfa128

C:\Program Files\ReasonLabs\EPP\mc.dll

MD5 eaeca6b0b5d667fb2eb511bc10efd72c
SHA1 65656fb5325d9142e6405bb9cc3bfc0b91fece99
SHA256 f62dfbfd9c53204a6217407279f22bfc55b46258a27cf5198357e5e1cba72a43
SHA512 0e06e8ccfa3e765d8b6f4d1c521b0ae06ff174f3a885e440f99787d5760f8646b130bdb9e9f2f5db5f7281873862e0a874b4b7232095637326b3079a531920e2

C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

MD5 747e9fea893d38221e003fff69ca1581
SHA1 071a0dbf2fca5a685aaa459c364ed1db2113b16d
SHA256 28957f90652e842e5705125b10b56be5b53f818be212e5c2c764fb4491c3227a
SHA512 eda637a69b128c3f46e190945abee5fb632d5460ca482273266138088b2e66ed42c76bade8724eda37389129555c07740c5e58548cb55400218d157e34042d5f

C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

MD5 09cb0f4f077adc38f8af8550eed69319
SHA1 c97cb066a313df0c9384782924c15eb50ad5e1a7
SHA256 af4cc3bfebb4f886c77ae9140c3c47d7274fb720db31f16240f42d79050101dc
SHA512 bca50e8b975789a17faa2114ce2c66955cf7bd0d6cbbefe14e8416031e2f352fce542521bf545d64b270034980fd58a99c5ba690a9cccc018f44c8785b2fd69c

memory/4372-665-0x00000231BA6C0000-0x00000231BA716000-memory.dmp

memory/4372-671-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-683-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-717-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-715-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-713-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-711-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-707-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-705-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-703-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-702-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-699-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-697-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-695-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-693-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-689-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-687-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-685-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-681-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-679-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-677-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-675-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-673-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-669-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-667-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-709-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-691-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

memory/4372-666-0x00000231BA6C0000-0x00000231BA715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\ac29aa62\b1ab020d_5fc6da01\rsJSON.DLL

MD5 2ec13fba08ff20ac219f762509a766ff
SHA1 7a62fda6e3ca22d1edd181eca1c1a090accd1b28
SHA256 a66998441cf5a6be98d78abe2d2f3121012b7b30a45ffc9111dbd812c9a6d795
SHA512 86f2e480ef397ac48e376115f65c06d9b41e5daae2d98e27480cadb13474d86fa3acea20f9ced640344b3c6d3a5f4bc3072b8b529e55c52ac793da9d2c09dbff

memory/4372-2291-0x00000231BA720000-0x00000231BA75A000-memory.dmp

memory/4372-2302-0x00000231BA7A0000-0x00000231BA7D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\1f71dab3\b1ab020d_5fc6da01\rsLogger.DLL

MD5 bdf6337eef10d89ead58c97c4cc86eac
SHA1 d7ec026d4587bce1efd0fbd9d1d0099f6410b8e4
SHA256 247f904657ae110f6158598725de7de006318822e2f4739c6dc3407347a839cf
SHA512 185da0bb41b85192c7e79537d8796a8a56b0314a2f90a6a9f1fb9146bd673050e30315b4a7f1f50d090962fed334a76a49932e392ac44d3857d6997998f9b0cf

memory/4372-2314-0x00000231BA7A0000-0x00000231BA7CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\1442ae55\79e7fd0c_5fc6da01\rsAtom.DLL

MD5 ff00eb531015f056aa090d84c51cbeb5
SHA1 3eefa935448df905cdb9bbc8caf64e681185d638
SHA256 3ad34654b29f9b72c110a1e02f8b49546603a16175bb78e3635ab767dcc4c81c
SHA512 1e2c0bd5650717d3318b06ab22c2371ebbe734fef90b220ecdc14b79caa64022c166c799c7e5657ac0523ec9706424a67237942897feee775df2bdc98640afdb

C:\Program Files\ReasonLabs\EPP\rsEngine.config

MD5 7d5bfa735b37c024084376ffc80265ab
SHA1 bc174aed63f19aee2eaa7356e2a87faf7d00834e
SHA256 6bf70561c66fe78df0d7453ce789b0f176a9bc229b2997821a24904c733d1a74
SHA512 5441f765d32da2ba20e9440177619abb91cf7c75d004616cf3103b5b864ab7f012140d7a0d48ffef7998af5b813b15eb6f56778a5c77a7adc5e16a4dbadf9571

memory/4372-2327-0x00000231BA940000-0x00000231BA96E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCB3938B7\e5c2f4f8-8380-4e31-b5ca-8142f77b2d1d\UnifiedStub-installer.exe\assembly\dl3\e1e52707\b1ab020d_5fc6da01\rsServiceController.DLL

MD5 9da18dc90cdc783e4d0c503949f25375
SHA1 ed0be1a19eb6391abe073901d6b54ef8292418a4
SHA256 4e7c131ee4c738212d3a6944543ae9a12c4edbbc5a892b39dc070292ad9fac47
SHA512 9f151d9d36f88aa01c9161874957ebd0a26735c8cd2eb5e7bd96930aecc6e556af56c644e84910a3e6b8aa644d4d63871f23ffe7fb48e7fd7c23e5bb3d1c0f5f

C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

MD5 e8ef8570898c8ed883b4f9354d8207ae
SHA1 5cc645ef9926fd6a3e85dbc87d62e7d62ab8246d
SHA256 edc8579dea9faf89275f0a0babea442ed1c6dcc7b4f436424e6e495c6805d988
SHA512 971dd20773288c7d68fb19b39f9f5ed4af15868ba564814199d149c32f6e16f1fd3da05de0f3c2ada02c0f3d1ff665b1b7d13ce91d2164e01b77ce1a125de397

C:\Windows\System32\drivers\rsElam.sys

MD5 8129c96d6ebdaebbe771ee034555bf8f
SHA1 9b41fb541a273086d3eef0ba4149f88022efbaff
SHA256 8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51
SHA512 ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

C:\Program Files\ReasonLabs\EPP\rsWSC.exe

MD5 d439318e84314e7106b12f7fbf319926
SHA1 cb75082c5f9c370dd37c5740c54356b779ecf6f6
SHA256 982447e4c68bfef3183968a0e3f46d69821183834354da837cdf75659680919f
SHA512 d24fa01cbfe028e9d71e209ee3340ea33322fd8130bd95b37459851a0aea8e03768f999b44bf1f1344fd52ea0c0fb805ab4ad309f09b02d49daa0e302566f0b4

memory/1228-2358-0x000002672AB80000-0x000002672ABAE000-memory.dmp

memory/1228-2359-0x000002672AB80000-0x000002672ABAE000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 b2ec2559e28da042f6baa8d4c4822ad5
SHA1 3bda8d045c2f8a6daeb7b59bf52295d5107bf819
SHA256 115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3
SHA512 11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

memory/1228-2372-0x000002672C7D0000-0x000002672C7E2000-memory.dmp

memory/1228-2373-0x000002672C830000-0x000002672C86C000-memory.dmp

C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

MD5 43fbbd79c6a85b1dfb782c199ff1f0e7
SHA1 cad46a3de56cd064e32b79c07ced5abec6bc1543
SHA256 19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0
SHA512 79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

memory/6464-2394-0x00000240FB870000-0x00000240FBBD6000-memory.dmp

memory/6464-2395-0x00000240FB500000-0x00000240FB67C000-memory.dmp

memory/6464-2396-0x00000240E2C00000-0x00000240E2C1A000-memory.dmp

memory/6464-2397-0x00000240E2C50000-0x00000240E2C72000-memory.dmp

memory/4104-2419-0x0000000000400000-0x000000000071C000-memory.dmp