cobaltstrike | hxxps://dobfilesdownloadpl[.]com/De6wGhP/QrRt/7-zip-6628578519647873-AsystentPobierania[.]exe

Analysis

max time kernel
103s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dobfilesdownloadpl.com/De6wGhP/QrRt/7-zip-6628578519647873-AsystentPobierania.exe

Score

10^/10

cobaltstrike backdoor discovery persistence spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000800000002389c-4690.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000700000002389d-4691.dat	disable_win_def

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	rsStubActivator.exe

Executes dropped EXE 14 IoCs

pid	Process
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
3256	rsStubActivator.exe
1016	iclyt33y.exe
5388	UnifiedStub-installer.exe
5584	rsSyncSvc.exe
5648	rsSyncSvc.exe
8800	rsWSC.exe
9096	rsWSC.exe
6920	rsClientSvc.exe
5724	rsClientSvc.exe
6080	rsEngineSvc.exe
5556	rsEngineSvc.exe
6280	rsEDRSvc.exe
7144	rsEDRSvc.exe

Loads dropped DLL 5 IoCs

pid	Process
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5556	rsEngineSvc.exe
7144	rsEDRSvc.exe
5388	UnifiedStub-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000002389c-4690.dat	autoit_exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ReasonLabs\EPP\rsJSON.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\lz4_x64.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallState	rsEngineSvc.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\am.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\sk.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\amd64\msdia140.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.Tools.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Text.Encoding.Extensions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsHelper.exe.config	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.ComponentModel.EventBasedAsync.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsRemediation.exe.config	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Security.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.CompilerServices.VisualC.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Collections.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\cs.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\snapshot_blob.bin	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.RPC.RPCServer.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\arm64\KernelTraceControl.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\arm64\msdia140.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hu.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsLogger.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.Extensions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\icudtl.dat	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Resources.ResourceManager.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Scan.Detections.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.RPCClient.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Net.WebHeaderCollection.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\es.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\chrome_200_percent.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\zh-TW.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Xml.XmlSerializer.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\de.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Process.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Client.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Wsc.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsLogger.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.API.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\lt.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vulkan-1.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Runtime.Serialization.Xml.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.FileSystem.Watcher.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\es-419.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsWSC.InstallState	rsWSC.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\en-US.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\OSExtensions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XPath.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\Microsoft.Diagnostics.FastSerialization.dll	UnifiedStub-installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iclyt33y.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 040000000100000010000000866912c070f1ecacacc2d5bca55ba1290f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e720b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079002000520053004100000009000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b0601050507030862000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69140000000100000014000000dd040907a2f57a7d5253129295ee3880250da6591d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb190000000100000010000000787d09f953c59978ecd8d6e44b38e24f2000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B7AB3308D1EA4477BA1480125A6FBDA936490CBB\Blob = 5c000000010000000400000000100000190000000100000010000000787d09f953c59978ecd8d6e44b38e24f030000000100000014000000b7ab3308d1ea4477ba1480125a6fbda936490cbb1d00000001000000100000000d48ee33d7f1af8f4b002527f82a344a140000000100000014000000dd040907a2f57a7d5253129295ee3880250da65962000000010000002000000085666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b6909000000010000004c000000304a06082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080b0000000100000052000000530053004c002e0063006f006d00200052006f006f0074002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900200052005300410000000f0000000100000020000000489ff6233f3d3c5da77604be230745657fe488cb05257da551bfd64c1f179e72040000000100000010000000866912c070f1ecacacc2d5bca55ba1292000000001000000e1050000308205dd308203c5a00302010202087b2c9bd316803299300d06092a864886f70d01010b0500307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f7269747920525341301e170d3136303231323137333933395a170d3431303231323137333933395a307c310b3009060355040613025553310e300c06035504080c0554657861733110300e06035504070c07486f7573746f6e31183016060355040a0c0f53534c20436f72706f726174696f6e3131302f06035504030c2853534c2e636f6d20526f6f742043657274696669636174696f6e20417574686f726974792052534130820222300d06092a864886f70d01010105000382020f003082020a0282020100f90fdda32b7dcbd02afeec6785a6e72e1bba77e1e3f5afa4ecfa4a5d91c457476b18776b76f2fd93e43d0fc2169e0b66c356949e178385ce56eff216fd0062f5220954e865174e41b9e04f4697aa1bc8b86e625e69b15fdb2a027efc6ccaf341d8edd0e8fc3f6148edb003141d100e4b19e0bb4eec8665ff36f35e67020b9d865561fd7a38edfee21900b76fa1506275743ca0fac82592b46e7a22c7f81ea1e3b2dd9131ab2b1d04ffa54a0437e985a4332bfde2d655347c19a44a68c7b2a8d3b7caa19388ebc197bc8cf91dd922842474c7043d6aa92993ccebb85be1fe5f25aa3458c8c123549d1b9811c3389c7e3d866ca50f40867c02f45c024f28cbae719f0f3ac833fe112535eafcbac5603dd97c18d5b2a9d37578037222ca3ac31fef2ce52ea9fa9e2cb65146fdaf03d6ea6068ea8516366b85e91ec0b3ddc424dc802a81416d943ec8e0c98141009e5ebf7fc50898a2182c4240b3f96f38274b4e80f43d8147e0887cea1cceb5755c512e1c2b7f1a7228e700b5d174c6d7e49fad0793b6533535fc37e4c3f65d16be2173de920af8a0636abc96926a3ef8bc65559bdef50d892604fc251aa62569cbc26dca7ce2595f97acebef2ec8bcd71b593c2bccf219c8936b276319cffce926f8ca719b7f93fe3467844e99ebfcb378093370ba66a676ed1b73eb1aa50dc422132094560a4e2c6c4eb1fdcf9c09baa233ed870203010001a3633061301d0603551d0e04160414dd040907a2f57a7d5253129295ee3880250da659300f0603551d130101ff040530030101ff301f0603551d23041830168014dd040907a2f57a7d5253129295ee3880250da659300e0603551d0f0101ff040403020186300d06092a864886f70d01010b050003820201002018119429fb269d1c1e1e7061f19572937124ad6893588e32af1bb37003fc252b7485903d786af4b98ba5973bb51891bb1ea7f9405b91f95599af1e11d05c1da766e3b194070c3239a6ea1bb079d81d9c7044e38addc4f9951f8a38433f0185a547a73d46b2bce52268f77b9cd82c3e0a21c82d33acbfc581993174c17571c5beb1f02345f49d6bfc19639da3bc04c6180b25bb53890fb38050de45ee447fab94786498d3f628dd87d8706574fb0eb913eba70f61a93296ccdebbed634c18bba940f7a0546e2088717518ea7ab43472e02327775cb690ea862540abef330fcb9f82bea220fbf6b52d1ae6c285b1740ffbc86502a4520147dd4922c1bfd8eb6bac7edeec633315b723088fc60f8d415add8ec5b98fe5453f78dbbad21b40b1fe714d3fe081a2ba5eb4ec15e093dd081f7ee155990b21de939e0afbe6a349bd3630fee777b2a07597b52d8188176520f7da90009fc952cc32ca357cf53d0fd82bd7f5266cc906349616ea70591a3279790bb6887f0f52483dbf6cd8a2442ed14eb77258d3891395fe44abf8d78b1b6e9cbc2ca05bd56a00af5f37e1d5fa100b989c86e7268fcef0ec6e8a570b80e34eb2c0a0636190ba556837746ab692db9fa18622b665270eecb69f4260e467c2b5da410bc4d38b611bbcfa1f912bd744075eba29acd9c5e9ef53485aeb80f1285821cdb00655fb273f539070a9041e5727b9	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 367541.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	msedge.exe
2612	msedge.exe
932	msedge.exe
932	msedge.exe
5084	identity_helper.exe
5084	identity_helper.exe
3724	msedge.exe
3724	msedge.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5388	UnifiedStub-installer.exe
5724	rsClientSvc.exe
5724	rsClientSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe
5556	rsEngineSvc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
8672	fltmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Token: SeShutdownPrivilege	2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Token: SeCreatePagefilePrivilege	2284	7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
Token: SeDebugPrivilege	3256	rsStubActivator.exe
Token: SeDebugPrivilege	5388	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	5388	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	5388	UnifiedStub-installer.exe
Token: SeDebugPrivilege	5388	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	8584	wevtutil.exe
Token: SeBackupPrivilege	8584	wevtutil.exe
Token: SeLoadDriverPrivilege	8672	fltmc.exe
Token: SeSecurityPrivilege	8760	wevtutil.exe
Token: SeBackupPrivilege	8760	wevtutil.exe
Token: SeDebugPrivilege	8800	rsWSC.exe
Token: SeDebugPrivilege	9096	rsWSC.exe
Token: SeDebugPrivilege	6080	rsEngineSvc.exe
Token: SeDebugPrivilege	6080	rsEngineSvc.exe
Token: SeDebugPrivilege	6080	rsEngineSvc.exe
Token: SeBackupPrivilege	6080	rsEngineSvc.exe
Token: SeRestorePrivilege	6080	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	6080	rsEngineSvc.exe
Token: SeDebugPrivilege	5556	rsEngineSvc.exe
Token: SeDebugPrivilege	5556	rsEngineSvc.exe
Token: SeDebugPrivilege	5556	rsEngineSvc.exe
Token: SeBackupPrivilege	5556	rsEngineSvc.exe
Token: SeRestorePrivilege	5556	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	5556	rsEngineSvc.exe
Token: SeShutdownPrivilege	5388	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	5388	UnifiedStub-installer.exe
Token: SeDebugPrivilege	7144	rsEDRSvc.exe
Token: SeDebugPrivilege	7144	rsEDRSvc.exe
Token: SeDebugPrivilege	7144	rsEDRSvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 2424	932	msedge.exe	83
PID 932 wrote to memory of 2424	932	msedge.exe	83
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2444	932	msedge.exe	84
PID 932 wrote to memory of 2612	932	msedge.exe	85
PID 932 wrote to memory of 2612	932	msedge.exe	85
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86
PID 932 wrote to memory of 3120	932	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dobfilesdownloadpl.com/De6wGhP/QrRt/7-zip-6628578519647873-AsystentPobierania.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf89b46f8,0x7ffdf89b4708,0x7ffdf89b4718
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Users\Admin\Downloads\7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe
  "C:\Users\Admin\Downloads\7-zip-6628578519647873-AsystentPobierania_v3.44.733.944.8.exe"
  2⤵
  - Executes dropped EXE
  - Checks for any installed AV software in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14104341610498334042,13495757276707158704,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4684 /prefetch:2
  2⤵
  PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\_files\rsStubActivator.exe" -ip:"dui=a28c23107e2f99144fd509943de739f9c4286024&dit=20240916144534728&is_silent=true&oc=DOT_RAV_Cross_Tri_NCB&p=e037&a=100&b=em&se=true" -vp:"dui=a28c23107e2f99144fd509943de739f9c4286024&dit=20240916144534728&oc=DOT_RAV_Cross_Tri_NCB&p=e037&a=100&oip=26&ptl=7&dta=true" -dp:"dui=a28c23107e2f99144fd509943de739f9c4286024&dit=20240916144534728&oc=DOT_RAV_Cross_Tri_NCB&p=e037&a=100" -i -v -d
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256
- C:\Users\Admin\AppData\Local\Temp\iclyt33y.exe
  "C:\Users\Admin\AppData\Local\Temp\iclyt33y.exe" /silent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\UnifiedStub-installer.exe
    .\UnifiedStub-installer.exe /silent
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5388
  - - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
      "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
      4⤵
      Executes dropped EXE
      PID:5584
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
      4⤵
      Adds Run key to start application
      PID:8496
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        
        PID:8516
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:8552
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8584
  - - C:\Windows\SYSTEM32\fltmc.exe
      "fltmc.exe" load rsKernelEngine
      4⤵
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:8672
  - - C:\Windows\system32\wevtutil.exe
      "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8760
  - - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
      "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:8800
  - - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
      4⤵
      Executes dropped EXE
      PID:6920
  - - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
      "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:6080
  - - C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
      "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
      4⤵
      Executes dropped EXE
      PID:6280
  - - C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
      "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
      4⤵
      PID:7428
  - - C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
      "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
      4⤵
      PID:8932
  - - \??\c:\windows\system32\rundll32.exe
      "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
      4⤵
      PID:9000
    - - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        
        PID:8908
      - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:5800
  - - C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
      "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
      4⤵
      PID:5884
  - - C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
      "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
      4⤵
      PID:8704
  - - C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
      "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
      4⤵
      PID:4856
  - - C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
      "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
      4⤵
      PID:7864

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:5648

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:9096

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5724

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  PID:6736
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  PID:7552
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    PID:7700
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,12462538160670981529,1120609750177431896,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1744 /prefetch:2
      4⤵
      PID:7484
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2260,i,12462538160670981529,1120609750177431896,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:9120
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2392,i,12462538160670981529,1120609750177431896,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3324,i,12462538160670981529,1120609750177431896,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:6280

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7144

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
PID:5320

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
PID:4804
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  PID:7724
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    PID:7752
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2556 --field-trial-handle=2560,i,1520755573190131653,14883369856742724722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:8860
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=3280 --field-trial-handle=2560,i,1520755573190131653,14883369856742724722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:9016
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2656 --field-trial-handle=2560,i,1520755573190131653,14883369856742724722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:9052
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3888 --field-trial-handle=2560,i,1520755573190131653,14883369856742724722,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      PID:7304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8020

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
PID:9124

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
PID:5404

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
PID:8944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
388B

MD5
df6dc5c215aee2c259668e6774dff775

SHA1
06c0f3642e8f03454522cbd7cc77d7f9859f58e9

SHA256
77ba975e26d4cd48d5ac697cbb69598e8ae3e073086d9bcb07dbacbd4227d2a7

SHA512
586b24eb0a9c7fc26204f5c03d28dff5ab80a4fb6e87af337d82c1bf88392c1819f2ee485ddd586e64eb17819a060374a16563dca237e5e6f64e11c42e1b4df2

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog

Filesize
628B

MD5
789f18acca221d7c91dcb6b0fb1f145f

SHA1
204cc55cd64b6b630746f0d71218ecd8d6ff84ce

SHA256
a5ff0b9a9832b3f5957c9290f83552174b201aeb636964e061273f3a2d502b63

SHA512
eae74f326f7d71a228cae02e4455557ad5ca81e1e28a186bbc4797075d5c79bcb91b5e605ad1d82f3d27e16d0cf172835112ffced2dc84d15281c0185fa4fa62

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog

Filesize
897B

MD5
f788aa9e098eac0aeea1aad9decb1ee9

SHA1
7a57b0261e5b72cdccf73e19f04049263cb7eae8

SHA256
0fab8fd064c92b334a434ec7959bcd56bc44cf4155c315611edfe4381e0603ca

SHA512
b051eb938012666ca3a9e00a1b1cefb01dd3d7c459ef12962a0ccec88f707113a5345465beb3c429fe7a162896659b9246267f3057d9f50bb34c7d33601e8aef

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsCamilla.Runtime.dll

Filesize
262KB

MD5
e4b0148edb7f31eefe505abe15d0e0f1

SHA1
e216775c8b1b16191f5598485c3a9d01bd8ff1de

SHA256
8039b78d4d14051782798fbd99e4e5f7b8c106e98538de13a1dc801e9f1c929a

SHA512
14bd55abc32e68b01ec34177e27759c912a533b50d978e10c840092560f243354ffb564a2343bb96bb9705b5f09a533e4f3ffaa096af81556219b1b6dd5e28ad

Download Submit
C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe

Filesize
644KB

MD5
cad5635f77954cf79c53060f68505419

SHA1
da9972e32968d2f4d4f226d5936b9289128f4bab

SHA256
7293acf2c5a5b6295066cad3c47abd96bc852c1a60feda0f29d05b14d49ed981

SHA512
5f6aafb47a91f8f41ba572daaf11453f47e5f1675301f44763adffdfe211b5065e0ccb952fba9ab747a16da3f25ab7d6087e5f977efc763f91c26bf53e032670

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Loggers.Application.dll

Filesize
147KB

MD5
f3e7625f7a6854ceed2b6ff0d1eadf58

SHA1
e8f826fad817c4ccbd69b5346e60d63ef98b1c20

SHA256
845b6db4d3c934f42b95539177c42089d25214efb73827fba854e107595bc039

SHA512
1c453a1ba7db3c19d2662e823cd6b8a751e9610dae8fcd06b8fefd1c42b50fa5cd2a52239114eca99727609c0e4daed595d7e32027ac344d955e45e5569e1bfa

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Utilities.dll

Filesize
2.3MB

MD5
0c6230c64c5f90f989f146669aa95d8a

SHA1
41065171234e96d9fcbd150b4d6f307fdcfcfa9b

SHA256
f1c41625f39de3d15126b11b3087892e1d856d1389c5048f7537d63d878fabdf

SHA512
896e0b3877c5cabdd945a103974932582437eeeddeb3d0e0aa003d89c8085e8e0310a8f869897ab345741587ca86109f6dfa5faa2fc06bf1686dfa6d710d4ce9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
406B

MD5
0dd7ab115062ec8b9181580dbd12ff02

SHA1
28a9115deb8d858c2d1e49bec5207597a547ccf0

SHA256
2fe9b5c64e7ef21c1ea477c15eff169189bac30fd2028f84df602f52c8fc6539

SHA512
2c1a4e5ebf7ab056d4510ea56613fec275ca1da8bb15ed8118e9192fc962833e77974a0363538cebf9ab2a1a1ff9486c3078d14b4820c2a8df803f80f94e19f1

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe

Filesize
289KB

MD5
dd2be3c3fbc45b12f63b62c3f4615a68

SHA1
77cbbcfa791dd3ea06b59963423c4a006b16cc31

SHA256
4688e59cc2dfdc0887892f0c5c8794513f48b65cc4e4aa087cca7596b7c72c2d

SHA512
49eb8dc3c48bb972a054db693bfd043569854b16e0c9a7091f253549b63f746cb54c01dd0e9d2ec6a11e8fd1592c912e0d158497b06a1ed264acacd14b1b5329

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe.config

Filesize
17KB

MD5
5ef4dc031d352d4cdcefaf5b37a4843b

SHA1
128285ec63297232b5109587dc97b7c3ebd500a6

SHA256
4b094b7bd38e5bf01900e468ddd545b42369ae510ec2366427804a57da5013a7

SHA512
38b0444e4f07ad0b50891e2b0da6374b0033cb9656a4918e9eaae34e381d95671978d19abbcf2b8fdb079921b85e20dbe2c4392b15984ce6051b48b4a05a172f

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.exe

Filesize
203KB

MD5
c8c4f7e0fe6b57b00668f611d136e540

SHA1
b923cf9160486f2b481655b29e8c2ecdf067606b

SHA256
08ac4883e676756187d7f05a8bb0a7163f89bfedc68e4338294a795e820f8a81

SHA512
11f27b45e872969fdf3a4988a3087a96f5754ddc57024ac4e3e778105d341111c0b0b5c240c58aa480f6fa9d50089aff0e67a7f9df48164fbd3b7827d3c6da88

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf

Filesize
2KB

MD5
e8ef8570898c8ed883b4f9354d8207ae

SHA1
5cc645ef9926fd6a3e85dbc87d62e7d62ab8246d

SHA256
edc8579dea9faf89275f0a0babea442ed1c6dcc7b4f436424e6e495c6805d988

SHA512
971dd20773288c7d68fb19b39f9f5ed4af15868ba564814199d149c32f6e16f1fd3da05de0f3c2ada02c0f3d1ff665b1b7d13ce91d2164e01b77ce1a125de397

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

Filesize
300KB

MD5
1a779ab36eb5ff63f6271c6b3b3e6229

SHA1
80165ecabaa47a9ea8ba6f827023780f2e2563f6

SHA256
7d775c3d3eb5acff177da52f02ce19fc274090d8482158fd57293fdce51753fa

SHA512
61d468b5cc3829326348c71f3e9aa1cd8825f02d63c96549e501de73a130f68b2388f675d3758dcc7fcc8c7b0c484d2bdeaaeadf0c02504e827fb12aab9fa261

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
192KB

MD5
3296a55f409ca8d305c541be731ff335

SHA1
caaf2a1fc7467fc854b39aa494be9e4610c0f336

SHA256
5cc0302ac3ebf1b90a9fe00a592e536f37a62c79765e332ca6c0cfe9a37077c2

SHA512
956395060b193a7c9de4162d4ec3d861c87348afd02f52430973c4e32dfa0546bf1f70fca5b37db4ddd747580b1fac9a02bef38236384ce177b37b9ea70da2f1

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

Filesize
340KB

MD5
76172cb5190205caadb1327127161dc4

SHA1
98a26438cd7f2fb228d62d4b49c2cb1d2a17aed4

SHA256
3ff53609cbe791629fda1d1164be447816cd8f480492fce1b0357a2463497204

SHA512
c083f34cf6e4ea951ac1cefd6136b650befe3be621b9bc6fcc5810e845ec228cc9380d3c6675f9f2fba19574a26036db88163784e8083222ad88ce8e17282657

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config

Filesize
4KB

MD5
7e38ffc504f5e3e7e407f990ec38d3aa

SHA1
d5b119da4f5994450a36f7a2b0d58c6fa38e872d

SHA256
acd5e8087d9362ece96bae231b0afe38c23c48c817bb036a8da84dbea630e021

SHA512
827db079ae70d139f1bb187fb75f296eaff42aa3830d9dd81b4ed3a3e2cb1a357f282415a4a5961c4759e6173d4264d7068ee05262cd6ecf229f94bd8bf75b0d

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

Filesize
431KB

MD5
a923e47f36d933fc49127ce2246a5288

SHA1
f02c5701d88378246380a3e60528b6535fdeb12f

SHA256
148e8a54220850a0589538500cbec6944ff8a9dede1ac78c0228a71577b2e721

SHA512
5a5f9c7e1e9d02853f153fe4d2d175ffefd58ead68635d915865dd497a6e8ad89d877b99d0792007301aaa979408a9d52475821227f83abb31e869e2faa36492

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\009879608CAFAEA3D83BD836A5260DFF_494C964ABB8DFAE54253C96871A2D7F3

Filesize
727B

MD5
b76f19306e007a1b4aa749e057c58adf

SHA1
696815496ed103ef8f78a664bc95cb99d6944c5f

SHA256
be5fea1b083f42f42b7addecec0f1a72fe8c7a8a064c2d9a6a78a2647d2b894f

SHA512
88b647701dce5625624e9e32da9bc81fa913ac30f62e99ff52c2cb5298294d75780043ceb8d84272a6dd37a50337ee63468c851b4334a76bea8e1b66701f39eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B

Filesize
1KB

MD5
e06ec908103507bbd8cceb1410a7d56e

SHA1
18f91868ab04966f84797bfd637d9929e11a10f4

SHA256
de876d7ca8146d6f5d92ad24e4212de42232cbfa4e4cb628255dc60d7154fed3

SHA512
80340332b406e8380ea4dc00f3a773b174cedc44bf153f5b2d29621cbb1473e7394939392202136d3b74b4fff46088ce91ca737c82b355912d617901cb4675ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_C0FCA017E5E8DC85A76F14D75ABCD153

Filesize
727B

MD5
d8280fc05473069335c24f052ce82cb3

SHA1
169bbf69f6c40df9c526c66a31d74573b4431671

SHA256
d3410ef21da3e58115991546619accff3bfc814b5e950129f9831e6f47bb1e1c

SHA512
c2f76733d98defba1fc6fe77480b64bf9b365a645848a5b9fa9112b33d11c2675e12d0f45bb002b33e2a34a18445b8accc46b9f95f7a10d381586d8c4dbbffa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
2KB

MD5
a781a72630e070d03f7e0ba9ec0c1e19

SHA1
4d17fc8d007ed5e8babb01ae4a48f449eff75944

SHA256
7d27d97ae81c440e264af05090e488ed8adeb487ddcb68f46e1bd7eea1ff518d

SHA512
01024d292a4b3bc4b030d9ba62b1caa77f0f453f568ef7cc37050477e6fff22912f29df1026fcff7d3134251f25cd67f997b0a4df970b797f4a92972967d5518

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77CF52543AB0ECD9BF6546AAF6AC33DB

Filesize
2KB

MD5
30b422749de52f643d0b82f4fa0eec08

SHA1
53ff45d98808aae7c2edaf7847fa8ae2bb2780a8

SHA256
78e1550525bd380b406698087a3d001970fc6e962f9c355bd999663903162de9

SHA512
6b321219bc2c89ad69c38995ea0514d695da93092dbe6966fbeef27088af5107f056a3e976d2735e49341e49ed2ce913d6ae3c5c0a3ff920a95cdafb4cc63248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D

Filesize
2KB

MD5
8fe099dce699ec98df742fabbf4fbfba

SHA1
0a81034a89e443270c74c961b71c34b64bb9086f

SHA256
84675306c58e0dfefb0eb64cf826ad532af0596599c2b691477dadbc0e147306

SHA512
f967075dcb3e7c14148c3041ad1118652fde479b8f84353395ef91362353554dfe023b642a5c1bc52bbd42ad3c17fbed7e70d0aa0894357468f0f09536b49745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

Filesize
2KB

MD5
c6e190fba987a7dcec07a6246b872ecb

SHA1
7596a3220f42a3b1e59fd941eb0df4237e23e8f4

SHA256
0ac040c9d9c4f3f218715768b4c06ed8a6584d5313de627d13a14cd37e4a6b4b

SHA512
00e28af79a32b3c9921e88724581f0bb54084c9c2bcc52e2d619aa56b37586228b1b6f95775d95473c00e5d8f707a1b4ce7ed9b87764677385729af73ee487d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\009879608CAFAEA3D83BD836A5260DFF_494C964ABB8DFAE54253C96871A2D7F3

Filesize
482B

MD5
c548d535c92dafb4c0ffa75e4340bd2e

SHA1
ab5e3174d58966acd9eace1bedaf9180d612962e

SHA256
a157cd4a1d98e6d559760b6c22ffe9259b66b6d2d4e957c11b0d22994b87c0f8

SHA512
9072804e89bfa761689f164e7dcb6090fe57cfc1bbae1354d47a3d5351f1f28bcd210512efcb1fdf97e0829f45ea818a9619593c7905daa8782a81f8b07565f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B

Filesize
290B

MD5
1d111f75d73b1298f001898a7fd9b3fc

SHA1
072eb4a78a86dc41e6b3c0820e5923694cdbda21

SHA256
e1a70cce44d8badbef3ce55e2f5bcde6d1f48b014ae6211d4d807cab8db02f61

SHA512
573fc3a2bd83b47d2ffdd42749658cb520a6034d5b43836ab1ec4a11716adfcd01b16ad6828e65cb7bb0e5771add72725cade114c9b1b94fe6d48cb9c685f43b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_C0FCA017E5E8DC85A76F14D75ABCD153

Filesize
478B

MD5
419b66b3b051512587e9ee06dacd0bbd

SHA1
d57030693d2072e4aac95d6a6b05971ee10386e4

SHA256
ff15c7c9ea9486ef6b864d9824cd3ace0a9de2c4ab42c00b1f5bd21e586e3115

SHA512
b275a0abdebdc8722493942f255569e9f29e0643829289b785a741e3644067ddbcbd77bfa2babc3b41f492b31f53824e296d8f7dea4f340d7caad005b67c2945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50

Filesize
556B

MD5
18bf09b441abbbdd1f6a794dd8b6e982

SHA1
bcfbad5bd49d86a9660c1b6d80cd33bcc7367d42

SHA256
2ee77aff2f24122b1d6f2fbe19a684af8a4a67d20795eda92e4f2720b812c5c0

SHA512
45c62c36d15195cd81bb0368d79c32c38a8b659f070123568506ffd026d7bed6ea307d12096a10d75065a9877c86764121a0bf297029f6af784ca3436d90b977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77CF52543AB0ECD9BF6546AAF6AC33DB

Filesize
318B

MD5
fd996ffd0a226cb271e8a856171acc03

SHA1
5fc7b5e0843ec8168814d92cafdc2af90659b248

SHA256
7728ce5711630c9f0525da65f9a469a879fe814a26f09a52f0acee6966588fb0

SHA512
b611d364313f87e08804472abae3033b82d85b60532c644d742b55ff829c68456cf7a05de5c87231d79964fb5638c0d1e1b2fe57331312d31ae527cfe85d84d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D

Filesize
556B

MD5
697d5480ae5d625c025cd1287b8ca7bf

SHA1
e7111e0d94d24f024e98a5409ea95c1690b30f04

SHA256
e7e0c72ffdf709d994cceb718a4c45657e3ad5ebfb10f2f5c0f1f47c40878850

SHA512
20def8a9e02dbdb1d47f5fe156b67e22ae4fc9551c5120df58da57eb21f9e8cc85cc032157cf24c8a8a6c3bb4e27d60f9a6d9e19dad678554211f9847b50caf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139

Filesize
560B

MD5
447b1ecb24debafd1ed6951aa1f43ef2

SHA1
9c4334b18071c4a2b3192432d1663eb894836122

SHA256
d552d4503e3a31714dfcb8d86f19393b7a7d0a4b8b4da8720a72d3181c0b1c28

SHA512
e2a70478f23d2a888239ed6d4d5080aa07a033faf701d77d7a72c824c32457d7e891ce231c199026c9a6eb6647b0be9e67b17271fa76bb857609379ec2476fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
190B

MD5
7269b7dafd5b758611910362e0cb539c

SHA1
407a144f5c4fed0b134ab7c797832923fd2ccf54

SHA256
c5eb5c69965e17173123378368ce686c1249665c3b7f91bc3d7bf6a9af9e75b0

SHA512
35709f3e19580d9b39aaefccc58f947d7d5332b39b84ecbd11c262cc8ac66295e99f81d5f48345b8da7f297f6d3a6335715c5738992f041a3fb066c41de8d365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eab97cbf2895bc0db942cb9182aafe73

SHA1
2475ddeed301f3bab45a01f2b15bd01f0761e4cc

SHA256
2f20888e8fb5519545fe0653516b0fa584f49683fd3653ce0b4ccbba8504348e

SHA512
ad5c844890fa0147d3dd7fff98a35dbe7e856a118e6c5c8d289ce08380579f43d552d808c4868dc497c721c18dec5f73e52eba61395211cde5c4e267faf1a891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0ee4492b4b2081ee02a2076cff33bd4

SHA1
d398399074c1984ecd8f990997e3798466a1748e

SHA256
8df375baebd8a240fc26665022338f6106783c6564cf430447c1f9aeaf864184

SHA512
311f2a9d1fbe01226a78d6ca5e0f79a9fa8a40427e62b1d77e348990d3069c0e28f293d844290b0719096cf8cb986a2bc719128a5a717713e029f0d90e971483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b4133b927f114460b36444aea8f1229e

SHA1
49a90c9f3213aec6c6ae7a57752b5a87b02a6cf8

SHA256
52e1934c51d72d84ff987ee18b331f078086cfa00ce3cd579f4b92dd8b04938c

SHA512
92603200c3083f43d89788154b25e0985204e5a90289ed4cb016a8eba840bc796efd11eab500450de140f4913560bdec5b2e40e437f02fbde615d7f294cb7bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
265fad6c70759a373044d7835a913ee3

SHA1
edf49c4d88848ec2e1088b6f7f7a8f30a90d9426

SHA256
e20a10febc0c33d4c26e79ec0ef60c875d39774137bb6b0e00672bac2bed40d1

SHA512
3be2df272b91757808e6a133a9bafa7fc98582c3a0255cb818faf6b11dde378d041a8327dfb8f4b53689f82d8b29f9a6ee4d0d20ba826484269126f959b05b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\1c8fffe5-c942-4351-9a11-f670effec49e\UnifiedStub-installer.exe\assembly\dl3\1d8fa3a9\f7f7a445_4708db01\rsServiceController.DLL

Filesize
182KB

MD5
667297116624d94676fe158b16408c1b

SHA1
b2a1d637a4c3ca3f558a350b36cd8bd704832abf

SHA256
7920b193b4d8f1b51b134293bbb8c1d9ab557a0debe7352bcd7aadbd6a467e8f

SHA512
17ecfac84801f4843ae24912876a601248d151860268aa460faf41ff74c60951d4968dc924f78e58a94e636431a373355b3be731e8edd341aa1f19e84962e0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\1c8fffe5-c942-4351-9a11-f670effec49e\UnifiedStub-installer.exe\assembly\dl3\35e1bc75\c96d9b45_4708db01\rsAtom.DLL

Filesize
172KB

MD5
ed35fb01fc569b2fa29dc923da7f12bc

SHA1
a4317b7dd5a11287c3e904ab09cb89032fd43cc5

SHA256
dee0ee9a1e57374200ef88f47160c8d71a3932714e83c3248c1527fac3f1d02f

SHA512
e52d61a69c21654f6a8ff76442f572e362369216f72aca7b561a1ec29b62e24c80ca2b7e6e6473f9961b628e09ce624a4542ebb5019bfa157826538185412eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\1c8fffe5-c942-4351-9a11-f670effec49e\UnifiedStub-installer.exe\assembly\dl3\9a64caba\f7f7a445_4708db01\rsLogger.DLL

Filesize
184KB

MD5
0f66bd5e2162762e3c423ca81588aa50

SHA1
faf487abb39a90cf3558d34d84999b8788a4ad5b

SHA256
f5b89ddc4d6cc848a63b61e136085386aee0bbfa8ae5183cc7fbd6a23e2ce9d2

SHA512
e45766ac106b741917ab0ed9a1a5873c1114d69b7978bc0b9d82d87c2448a39d3a3e989f874460a888f39c10a69e6c155b1187e52ef81324f59dde3992667b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\1c8fffe5-c942-4351-9a11-f670effec49e\UnifiedStub-installer.exe\assembly\tmp\5LCYGWGW\Newtonsoft.Json.DLL

Filesize
699KB

MD5
ae12c68d79e1217d02d77eb90076a5d9

SHA1
dac620858e20a9c42c63ec9a407734f0af402055

SHA256
8d04dba084aa5964cd85ea5d301fce01b9843e833189f9ff5827f11f60b8bbbf

SHA512
9720c13c6b2b69905b4e0104459bac3f9776831fbc2cfffcf152bc04348e38cf52b8ea24e048abb1971d7d8143f99d07ebba3737ee106f536ac42f795e063213

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\8b694583-1a83-440c-ae34-fc40ffc32b02\UnifiedStub-installer.exe\assembly\dl3\1a986ce1\9d0afe34_4708db01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\8b694583-1a83-440c-ae34-fc40ffc32b02\UnifiedStub-installer.exe\assembly\dl3\22c3c055\2de4f634_4708db01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\8b694583-1a83-440c-ae34-fc40ffc32b02\UnifiedStub-installer.exe\assembly\dl3\65215a07\24a8fb34_4708db01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\8b694583-1a83-440c-ae34-fc40ffc32b02\UnifiedStub-installer.exe\assembly\dl3\903d8448\9d0afe34_4708db01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\Microsoft.Win32.TaskScheduler.dll

Filesize
339KB

MD5
07d2c6c45e3b9513062f73c6b4ef13e8

SHA1
4ec2ffa55a31e44234e868a94066dab280370a3b

SHA256
dcadc14a5a4a0886cf8506aef9ca312f304ad77af37e9c3bebadb90fecef90fe

SHA512
64386d0269ec05f1e854f321421d907b23fae4ef6687f143b0638afe9b983bea360bba0ba25169151e1e1fda7caec6b60abe48216009668063f79dba8b6a42d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\Newtonsoft.Json.dll

Filesize
701KB

MD5
394a6e7da2972f0307604f1cf027a955

SHA1
fba0319c7a82c183ffa96e01a6d427e2c0911f2d

SHA256
981fac0f3323033c87c5a236a7cc80ea4a633cbf7c7b926b28ddbe720d4b8fdf

SHA512
24763b6887c222c4a609e1db621279cb5441211902d3a57789e93f6e5bcd61081dc985f5382676b39207f85d5e8a24f0d610f66bedec0af9b6d294816d68785d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\Reason.PAC.dll

Filesize
171KB

MD5
6852acb92faf84c7ba2dbcf8f251ca21

SHA1
80e06a69b0e89eda01dc9058f6867cd163d7de44

SHA256
9de687df8721e57bec834a1ed971edc6abd277e81ec6d5fee0de7f9f08eebd11

SHA512
cb9bb5b04e1dfea25c8178cbcc2277d2df40a65afb5203b7edc996c5039b7f609671d5780fea519f673685ee92080b8dd0ac054627e1e9148e2c7599e1c66e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
eb01e3263ed81d47c948763397e200f7

SHA1
6e15d83055beee39dfd255221e9784ba919eeb94

SHA256
8e9c6533623fb610c20b91362bd74645eb767e5b0f47a62644e8ad6eefe17d91

SHA512
56df74f5cb578b658ee518fb7f1dd6400df4188a188acda4fe83bba0af557e239e5a82699613f3b2bbcdbc2da0265f0248a82f773c65e59ab644c723ef2e18e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\e458736a-56bf-4301-9727-c71fec62675a\UnifiedStub-installer.exe\assembly\dl3\419341ca\e5d58454_4708db01\rsJSON.DLL

Filesize
216KB

MD5
fc1389953c0615649a6dbd09ebfb5f4f

SHA1
dee3fd5cb018b18b5bdc58c4963d636cfde9b5cc

SHA256
cb817aa3c98f725c01ec58621415df56bb8c699aaed8665929800efb9593fcc0

SHA512
7f5a61dd1f621a539ed99b68da00552e0cda5ad24b61e7dbf223a3697e73e18970e263fda889c08c3c61252c844a49c54c4705e1f3232274cbe787a3dbd34542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\e458736a-56bf-4301-9727-c71fec62675a\UnifiedStub-installer.exe\assembly\dl3\9a90f103\ecfc8454_4708db01\rsServiceController.DLL

Filesize
173KB

MD5
860ced15986dbdc0a45faf99543b32f8

SHA1
060f41386085062592aed9c856278096180208de

SHA256
6113bd5364af85fd4251e6fa416a190a7636ac300618af74876200f21249e58a

SHA512
d84a94673a8aa84f35efb1242e20775f6e099f860a8f1fe53ba8d3aebffd842499c7ac4d0088a4cded14bd45dad8534d824c5282668ca4a151ac28617334a823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\e458736a-56bf-4301-9727-c71fec62675a\UnifiedStub-installer.exe\assembly\dl3\a1ff3123\b6eb8054_4708db01\rsAtom.DLL

Filesize
157KB

MD5
1b29492a6f717d23faaaa049a74e3d6e

SHA1
7d918a8379444f99092fe407d4ddf53f4e58feb5

SHA256
01c8197b9ca584e01e2532fad161c98b5bde7e90c33003c8d8a95128b68929c0

SHA512
25c07f3d66287ff0dfb9a358abb790cadbabe583d591c0976ea7f6d44e135be72605fa911cc4871b1bd26f17e13d366d2b78ce01e004263cbe0e6717f822c4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\e458736a-56bf-4301-9727-c71fec62675a\UnifiedStub-installer.exe\assembly\dl3\a8c17fff\e5d58454_4708db01\rsLogger.DLL

Filesize
178KB

MD5
dbdd8bcc83aa68150bf39107907349ad

SHA1
6029e3c9964de440555c33776e211508d9138646

SHA256
c43fea57ecd078518639dc2446a857d0c2594e526b5e14ee111a9c95beddf61e

SHA512
508cb9b3834f7da9aa18b4eb48dd931b3526f7419463c1f0c5283b155efbe9c255213ae1074d0dbe2de5b2f89d0dba77f59b729490d47d940b5967969aaf1f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\e458736a-56bf-4301-9727-c71fec62675a\UnifiedStub-installer.exe\assembly\tmp\KHMI6N5N\__AssemblyInfo__.ini

Filesize
176B

MD5
c8df78b66a4dd1aa51de0ec68972e503

SHA1
65e648eda03c718bfc59615e485880169cd65eec

SHA256
c38542ec46aa9a36b249007fde611d1655c742f132023b7a76e3d666d6ff9823

SHA512
407ee509ccf9e11a358e2fa53fde7a712ad4bd43f2afa6e3d2242fb851baaf1986453fadcad7158105a0fa59013a1ef14c1778d8e64c9f3004a2cffb56db2593

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\rsLogger.dll

Filesize
182KB

MD5
8d7c6d91acc80161238fb1b57f290580

SHA1
94653d2574ce4b23711030d8a4855735691c248d

SHA256
15f727b784dad456177df9328d1760693ae4648b37bd395dfb43bf3ceba760fe

SHA512
89366a2d2e3ce5eaeb81a7728aa720a86d59521a612a64e26cc988ea4353b9ec95e94ccd74a4582a3f87fcc8c881fd03fcdace85aa566a1b4ae92409a98b839e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\rsStubLib.dll

Filesize
270KB

MD5
26ffa645c99b87925ef785e67cfefc4c

SHA1
665f81ad2d77f3047df56b5d4d724b7eaf86945b

SHA256
c56d0502297fa69575fcc1521a6190c1c281243770270b2e1732f5494fb8f05e

SHA512
d49034d2cc7ab47b2c701aa1acbca5cf4890338b9f64c62978a6d09049ed1928f23ca41f03035b1f655ce1e7d2ff220e8098db4b38c9812921b5481ce2932823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\uninstall-epp.exe

Filesize
319KB

MD5
882fee1ea7c9969476942c0134e5051d

SHA1
f42c13c7e4777bc1fcdf1719c99f156627345a76

SHA256
9716fd65434ef067f707ffd0a81762c32d2b2fbdb61ae5a03fb44a6ed9213bfa

SHA512
ded432c4038d0b021f3f1afc1cd0acd522da3a33244ef7618fda0cfe8acb3cf3ab624edc0b2b1498bfe48b9ccb81d4c06037460c2246cd6773b0cd3e947b0571

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F3F9078\x64\Reason.ArchiveUtility-x64.dll

Filesize
154KB

MD5
366231ab413d0ce3ad65b38b4ab3e4a6

SHA1
f52e1886563137a4124d3096d7ede5ce1cd1e578

SHA256
ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d

SHA512
55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_files\rsStubActivator.exe

Filesize
32KB

MD5
98b427a4f1258009ae0fd014fd90e091

SHA1
a663fa0863dd9593b17ddedf3d0af10de1853784

SHA256
532cc61d32dffcd6caf16996c439e75aba10422525a8db274c9490dac93c78e4

SHA512
ca2f2ba9bc8afbcb3a0b9c547dc7a92a13aeecde203c7cafe2b81267204771adb7c9b72f008d6826051da4ea6834264736673fba664079683bce3ca1b56ddcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iclyt33y.exe

Filesize
2.4MB

MD5
11b19795dec85eafc4d3dfc0ad332502

SHA1
17b527d2f14617813f708b2546c832d628ee0622

SHA256
f4f08837bfac298b05f56953a5c14e2bbf8d82a25c220d32480bd0a7b66571a3

SHA512
a45ebd85a4c7f631b16cdb990aaa12dc923a2afb9c2b28f9a06a5242479ac8c2c01a58d62fe890b3851ad10e1547055189419b4d305b53efdfe6f7bf6980ee33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.19.0\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.19.0\DawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.19.0\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.19.0\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.19.0\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 367541.crdownload

Filesize
1.3MB

MD5
390c6c6b3f54a28218dedec3e9770b49

SHA1
132778a8aa06087a19fbb9d4ffe376910b91f6ef

SHA256
4f4be04142c835f2cf90888cf8f782b60fef6e60177f75919adee695caf7f1df

SHA512
5545ff149e1a3de1877e3fedc092c344fe704fb80b8075bcb71049e6cbb0637782123bd2de55f8e80e284e6c43448448f22e835d72bdfd33e13c42602bf76d82

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_8DFC7CAC6EB6F44AC3DB96EB0A5FAEE5

Filesize
2KB

MD5
67fcae373901ca6bf94cfe914df4e536

SHA1
5e2b36a30d1af45c37c2839fb8900fc085adcb97

SHA256
440c8c16ee4b6f37de4d1ee539de12d1aedb634351c1a5638bec096658580544

SHA512
9623b11264919b91f165a1282f2307ceade09aece1f2b6eb720643706d9e565a923295ba6688454e3340b0e7f9997c93f07a1d5d917e7cba8f6f51f5b980eb49

Download Submit
memory/2284-123-0x000000001B500000-0x000000001B51E000-memory.dmp

Filesize
120KB

Download
memory/2284-122-0x000000001B540000-0x000000001B572000-memory.dmp

Filesize
200KB

Download
memory/2284-120-0x000000001B0D0000-0x000000001B0E2000-memory.dmp

Filesize
72KB

Download
memory/2284-119-0x000000001B5C0000-0x000000001B672000-memory.dmp

Filesize
712KB

Download
memory/2284-121-0x000000001B0F0000-0x000000001B110000-memory.dmp

Filesize
128KB

Download
memory/2284-118-0x000000001B4B0000-0x000000001B500000-memory.dmp

Filesize
320KB

Download
memory/2284-117-0x000000001B8E0000-0x000000001BE08000-memory.dmp

Filesize
5.2MB

Download
memory/2284-116-0x0000000000180000-0x00000000002C4000-memory.dmp

Filesize
1.3MB

Download
memory/2284-124-0x000000001B520000-0x000000001B53A000-memory.dmp

Filesize
104KB

Download
memory/3256-159-0x000002B8794F0000-0x000002B8794F8000-memory.dmp

Filesize
32KB

Download
memory/5388-837-0x000002C134860000-0x000002C1348B8000-memory.dmp

Filesize
352KB

Download
memory/5388-871-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-2538-0x000002C1348C0000-0x000002C1348EE000-memory.dmp

Filesize
184KB

Download
memory/5388-2526-0x000002C1348C0000-0x000002C1348F0000-memory.dmp

Filesize
192KB

Download
memory/5388-2515-0x000002C1348C0000-0x000002C1348FA000-memory.dmp

Filesize
232KB

Download
memory/5388-855-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-865-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-869-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-881-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-883-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-885-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-838-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-839-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-841-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-843-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-845-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-847-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-849-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-851-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-853-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-857-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-859-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-861-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-863-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-867-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-893-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-874-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-875-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-877-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-879-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-292-0x000002C1199D0000-0x000002C119ADA000-memory.dmp

Filesize
1.0MB

Download
memory/5388-294-0x000002C119EE0000-0x000002C119F26000-memory.dmp

Filesize
280KB

Download
memory/5388-4628-0x000002C133AC0000-0x000002C133B72000-memory.dmp

Filesize
712KB

Download
memory/5388-3302-0x000002C133960000-0x000002C1339AE000-memory.dmp

Filesize
312KB

Download
memory/5388-296-0x000002C119F30000-0x000002C119F60000-memory.dmp

Filesize
192KB

Download
memory/5388-298-0x000002C134120000-0x000002C1341D2000-memory.dmp

Filesize
712KB

Download
memory/5388-299-0x000002C11B870000-0x000002C11B892000-memory.dmp

Filesize
136KB

Download
memory/5388-301-0x000002C11B910000-0x000002C11B93E000-memory.dmp

Filesize
184KB

Download
memory/5388-306-0x000002C134260000-0x000002C1342B8000-memory.dmp

Filesize
352KB

Download
memory/5388-889-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-4644-0x000002C133A30000-0x000002C133A60000-memory.dmp

Filesize
192KB

Download
memory/5388-887-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-891-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-4707-0x000002C133A30000-0x000002C133A5E000-memory.dmp

Filesize
184KB

Download
memory/5388-901-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-899-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-897-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5388-2551-0x000002C1349A0000-0x000002C1349D0000-memory.dmp

Filesize
192KB

Download
memory/5388-895-0x000002C134860000-0x000002C1348B5000-memory.dmp

Filesize
340KB

Download
memory/5556-2837-0x0000022FF0750000-0x0000022FF09D6000-memory.dmp

Filesize
2.5MB

Download
memory/5556-2842-0x0000022FEFE40000-0x0000022FEFE7A000-memory.dmp

Filesize
232KB

Download
memory/5556-2879-0x0000022FF05C0000-0x0000022FF0672000-memory.dmp

Filesize
712KB

Download
memory/5556-2843-0x0000022FD6B90000-0x0000022FD6BB6000-memory.dmp

Filesize
152KB

Download
memory/5556-2880-0x0000022FF0500000-0x0000022FF0534000-memory.dmp

Filesize
208KB

Download
memory/5556-2838-0x0000022FEFD90000-0x0000022FEFDF6000-memory.dmp

Filesize
408KB

Download
memory/5556-2884-0x0000022FEFE00000-0x0000022FEFE2A000-memory.dmp

Filesize
168KB

Download
memory/5556-2887-0x0000022FF0680000-0x0000022FF06E6000-memory.dmp

Filesize
408KB

Download
memory/5556-2888-0x0000022FF2150000-0x0000022FF26F4000-memory.dmp

Filesize
5.6MB

Download
memory/5556-2836-0x0000022FEFC60000-0x0000022FEFCAF000-memory.dmp

Filesize
316KB

Download
memory/5556-2835-0x0000022FF0150000-0x0000022FF04B9000-memory.dmp

Filesize
3.4MB

Download
memory/5556-2834-0x0000022FEFCC0000-0x0000022FEFD1E000-memory.dmp

Filesize
376KB

Download
memory/5556-2832-0x0000022FEFC30000-0x0000022FEFC60000-memory.dmp

Filesize
192KB

Download
memory/5556-2819-0x0000022FEFEA0000-0x0000022FF0148000-memory.dmp

Filesize
2.7MB

Download
memory/5556-2805-0x0000022FEFB90000-0x0000022FEFBB6000-memory.dmp

Filesize
152KB

Download
memory/5556-2987-0x0000022FF06F0000-0x0000022FF0732000-memory.dmp

Filesize
264KB

Download
memory/5556-2804-0x0000022FEFA30000-0x0000022FEFA54000-memory.dmp

Filesize
144KB

Download
memory/5556-2990-0x0000022FF1E20000-0x0000022FF20A0000-memory.dmp

Filesize
2.5MB

Download
memory/5556-3020-0x0000022FF0580000-0x0000022FF05B2000-memory.dmp

Filesize
200KB

Download
memory/5556-3037-0x0000022FF1CA0000-0x0000022FF1CC6000-memory.dmp

Filesize
152KB

Download
memory/5556-3036-0x0000022FEFD70000-0x0000022FEFD78000-memory.dmp

Filesize
32KB

Download
memory/5556-3045-0x0000022FF1CD0000-0x0000022FF1CF8000-memory.dmp

Filesize
160KB

Download
memory/5556-3046-0x0000022FF1D30000-0x0000022FF1D62000-memory.dmp

Filesize
200KB

Download
memory/5556-3090-0x0000022FF1DA0000-0x0000022FF1DCC000-memory.dmp

Filesize
176KB

Download
memory/5556-3239-0x0000022FF2700000-0x0000022FF2768000-memory.dmp

Filesize
416KB

Download
memory/5556-3252-0x0000022FF2770000-0x0000022FF27F0000-memory.dmp

Filesize
512KB

Download
memory/5556-2802-0x0000022FEF640000-0x0000022FEF668000-memory.dmp

Filesize
160KB

Download
memory/5556-2800-0x0000022FEF610000-0x0000022FEF63E000-memory.dmp

Filesize
184KB

Download
memory/5556-2711-0x0000022FEF9F0000-0x0000022FEFA22000-memory.dmp

Filesize
200KB

Download
memory/5556-3266-0x0000022FF27F0000-0x0000022FF2866000-memory.dmp

Filesize
472KB

Download
memory/5556-3271-0x0000022FF2870000-0x0000022FF28C4000-memory.dmp

Filesize
336KB

Download
memory/5556-3274-0x0000022FF1DD0000-0x0000022FF1DFA000-memory.dmp

Filesize
168KB

Download
memory/5556-3275-0x0000022FF20F0000-0x0000022FF2124000-memory.dmp

Filesize
208KB

Download
memory/5556-3276-0x0000022FF28D0000-0x0000022FF28FC000-memory.dmp

Filesize
176KB

Download
memory/5556-3279-0x0000022FF2A80000-0x0000022FF2BF6000-memory.dmp

Filesize
1.5MB

Download
memory/5556-3283-0x0000022FF2900000-0x0000022FF292A000-memory.dmp

Filesize
168KB

Download
memory/5556-3287-0x0000022FF2C00000-0x0000022FF2D00000-memory.dmp

Filesize
1024KB

Download
memory/5556-2679-0x0000022FEFB10000-0x0000022FEFB88000-memory.dmp

Filesize
480KB

Download
memory/5556-3304-0x0000022FF2990000-0x0000022FF29E4000-memory.dmp

Filesize
336KB

Download
memory/5556-4407-0x0000022FF2930000-0x0000022FF2958000-memory.dmp

Filesize
160KB

Download
memory/5556-2678-0x0000022FEF410000-0x0000022FEF43A000-memory.dmp

Filesize
168KB

Download
memory/5556-4635-0x0000022FF2960000-0x0000022FF2988000-memory.dmp

Filesize
160KB

Download
memory/5556-2677-0x0000022FEFA80000-0x0000022FEFB08000-memory.dmp

Filesize
544KB

Download
memory/5556-2676-0x0000022FEF450000-0x0000022FEF488000-memory.dmp

Filesize
224KB

Download
memory/6080-2636-0x000001A5437F0000-0x000001A543818000-memory.dmp

Filesize
160KB

Download
memory/6080-2632-0x000001A543360000-0x000001A5433AA000-memory.dmp

Filesize
296KB

Download
memory/6080-2634-0x000001A55D7E0000-0x000001A55D83A000-memory.dmp

Filesize
360KB

Download
memory/6080-2637-0x000001A543360000-0x000001A5433AA000-memory.dmp

Filesize
296KB

Download
memory/6080-2649-0x000001A55D890000-0x000001A55D8D4000-memory.dmp

Filesize
272KB

Download
memory/6080-2672-0x000001A55DD70000-0x000001A55DFC8000-memory.dmp

Filesize
2.3MB

Download
memory/6280-2806-0x000001C75A430000-0x000001C75A45A000-memory.dmp

Filesize
168KB

Download
memory/6280-2801-0x000001C75A430000-0x000001C75A45A000-memory.dmp

Filesize
168KB

Download
memory/6280-2803-0x000001C774BF0000-0x000001C774DB0000-memory.dmp

Filesize
1.8MB

Download
memory/7144-2891-0x0000026439350000-0x0000026439640000-memory.dmp

Filesize
2.9MB

Download
memory/7144-2839-0x0000026420200000-0x000002642022E000-memory.dmp

Filesize
184KB

Download
memory/7144-2883-0x0000026438C60000-0x0000026438D12000-memory.dmp

Filesize
712KB

Download
memory/7144-2989-0x000002643B620000-0x000002643B628000-memory.dmp

Filesize
32KB

Download
memory/7144-2892-0x0000026439260000-0x00000264392BE000-memory.dmp

Filesize
376KB

Download
memory/7144-2894-0x0000026438D50000-0x0000026438D5A000-memory.dmp

Filesize
40KB

Download
memory/7144-2893-0x0000026439640000-0x0000026439656000-memory.dmp

Filesize
88KB

Download
memory/7144-2896-0x000002643A480000-0x000002643A48A000-memory.dmp

Filesize
40KB

Download
memory/7144-2895-0x000002643A460000-0x000002643A468000-memory.dmp

Filesize
32KB

Download
memory/8800-2594-0x000001D2C0220000-0x000001D2C0232000-memory.dmp

Filesize
72KB

Download
memory/8800-2595-0x000001D2C1A90000-0x000001D2C1ACC000-memory.dmp

Filesize
240KB

Download
memory/8800-2581-0x000001D2BFE00000-0x000001D2BFE2E000-memory.dmp

Filesize
184KB

Download
memory/8800-2580-0x000001D2BFE00000-0x000001D2BFE2E000-memory.dmp

Filesize
184KB

Download
memory/9096-2621-0x000001C9F5C70000-0x000001C9F5C8A000-memory.dmp

Filesize
104KB

Download
memory/9096-2620-0x000001C9F6600000-0x000001C9F677C000-memory.dmp

Filesize
1.5MB

Download
memory/9096-2619-0x000001C9F67F0000-0x000001C9F6B56000-memory.dmp

Filesize
3.4MB

Download
memory/9096-2622-0x000001C9F5CF0000-0x000001C9F5D12000-memory.dmp

Filesize
136KB

Download