cobaltstrike | hxxps://undertale[.]en[.]download[.]it/

Analysis

max time kernel
230s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://undertale.en.download.it/

Score

10^/10

cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000023c45-5456.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0008000000023c47-5460.dat	disable_win_def

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	undertale_Cai-ys1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 53 IoCs

pid	Process
3012	undertale_Cai-ys1.exe
932	undertale_Cai-ys1.exe
2784	undertale_Cai-ys1.tmp
4388	undertale_Cai-ys1.tmp
4580	prod0.exe
2920	saBSI.exe
3956	vblwk4mg.exe
1920	UnifiedStub-installer.exe
540	rsSyncSvc.exe
3236	rsSyncSvc.exe
1084	installer.exe
5288	installer.exe
5948	ServiceHost.exe
6304	UIHost.exe
8368	updater.exe
8184	rsWSC.exe
9040	rsWSC.exe
6776	rsClientSvc.exe
7368	rsClientSvc.exe
6804	rsEngineSvc.exe
6868	rsEngineSvc.exe
8328	rsEDRSvc.exe
7264	rsEDRSvc.exe
8680	rsHelper.exe
8440	rsVPNClientSvc.exe
7156	rsVPNClientSvc.exe
3952	rsVPNSvc.exe
7576	rsVPNSvc.exe
6556	VPN.exe
4908	rsAppUI.exe
8752	rsAppUI.exe
7376	rsAppUI.exe
8676	rsAppUI.exe
8060	rsAppUI.exe
8564	EPP.exe
7296	rsAppUI.exe
7556	rsAppUI.exe
6892	rsAppUI.exe
7768	rsAppUI.exe
7304	rsLitmus.A.exe
9832	rsDNSClientSvc.exe
9888	rsDNSClientSvc.exe
9948	rsDNSResolver.exe
10056	rsDNSResolver.exe
10172	rsDNSResolver.exe
6988	rsDNSSvc.exe
8228	rsDNSSvc.exe
8168	rsAppUI.exe
6076	DNS.exe
7080	rsAppUI.exe
5472	rsAppUI.exe
4764	rsAppUI.exe
2488	rsAppUI.exe

Loads dropped DLL 57 IoCs

pid	Process
4388	undertale_Cai-ys1.tmp
5288	installer.exe
7156	regsvr32.exe
8388	regsvr32.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
6304	UIHost.exe
6304	UIHost.exe
1920	UnifiedStub-installer.exe
1920	UnifiedStub-installer.exe
6868	rsEngineSvc.exe
7264	rsEDRSvc.exe
1920	UnifiedStub-installer.exe
7312	UndertaleDemo.exe
7312	UndertaleDemo.exe
6868	rsEngineSvc.exe
6868	rsEngineSvc.exe
1920	UnifiedStub-installer.exe
7576	rsVPNSvc.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
8752	rsAppUI.exe
7376	rsAppUI.exe
8752	rsAppUI.exe
8752	rsAppUI.exe
8752	rsAppUI.exe
8752	rsAppUI.exe
8676	rsAppUI.exe
8060	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7556	rsAppUI.exe
6892	rsAppUI.exe
7768	rsAppUI.exe
7556	rsAppUI.exe
7556	rsAppUI.exe
7556	rsAppUI.exe
7556	rsAppUI.exe
1920	UnifiedStub-installer.exe
8168	rsAppUI.exe
8228	rsDNSSvc.exe
10172	rsDNSResolver.exe
10172	rsDNSResolver.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
5472	rsAppUI.exe
4764	rsAppUI.exe
2488	rsAppUI.exe
5472	rsAppUI.exe
5472	rsAppUI.exe
5472	rsAppUI.exe
5472	rsAppUI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEDRSvc.exe
File opened (read-only)	\??\F:	rsEngineSvc.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
9108	GameBarPresenceWriter.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000023c45-5456.dat	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_4FB3A105E8F5471D1D5B7210085B4ACD	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_75DBA25F887BE659C2BA758AC8D5EEC3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_48BDF541C9BF1B2BAD41358CD874DC4B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_E50E9DE8FAA0A2CF219011229EAEDF11	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_75DBA25F887BE659C2BA758AC8D5EEC3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_4FB3A105E8F5471D1D5B7210085B4ACD	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_FD1E2F5244EFADF5DAD59F6016976DB1	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_72BCADB7EE100ECA692C6EC1A866B75B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\206932163209AD483A44477E28192474	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\439F613B3D55693954E1B080DE3085B4_C4927E03400A4F6EDB9D613E6354F864	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_FD1E2F5244EFADF5DAD59F6016976DB1	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_72BCADB7EE100ECA692C6EC1A866B75B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A76F24BEACC5A31C76BB70908923C3E0	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A76F24BEACC5A31C76BB70908923C3E0	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_735A98D70471F3F6240371211712CB5C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\white_questionmark.png	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\chrome_200_percent.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\lists\trackers.txt	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\settingsdb.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\about-icon-selected.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\lowsearchusertargeting.luc	installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Runtime.CompilerServices.VisualC.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\WireGuard\arm64\wireguard.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1559897177\logicscripts.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-pt-PT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\browserinformation.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Threading.ThreadPool.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\progress_1.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fi-FI.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\settingsdblookup.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browser_host_launchers_handler.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsRemediation.exe	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-ja-JP.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-zh-CN.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\Microsoft.Win32.Registry.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\updatependingversion.luc	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Reflection.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1559897177\jslang\wa-res-install-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_onboarding\edge_ob_telemetry.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-sv-SE.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Diagnostics.TraceSource.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\selectors\smart_toast_search_setting.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\transmitters\transmit_ga.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handleonnavigate.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\v8_context_snapshot.bin	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Data.SQLite.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\WireGuard\x86\tunnel.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-sstoast-toggle-rebranding-step2.png	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.Compression.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.Serialization.Xml.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\wmi.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ms.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1559897177\jslang\wa-res-install-hu-HU.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\amd64\KernelTraceControl.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.ZipFile.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-es-MX.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\edgesecuresearchonboarding.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\ca.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\x64\ext_x64.dll	UnifiedStub-installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6856	4388	WerFault.exe	128
7508	4388	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	undertale_Cai-ys1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	undertale_Cai-ys1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vblwk4mg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UndertaleDemo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	undertale_Cai-ys1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	undertale_Cai-ys1.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	undertale_Cai-ys1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	undertale_Cai-ys1.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	undertale_Cai-ys1.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{2E1BBDA2-5946-4203-A28A-B7A6E018B82F}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 927560.crdownload:SmartScreen	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	msedge.exe
1508	msedge.exe
2948	msedge.exe
2948	msedge.exe
2188	identity_helper.exe
2188	identity_helper.exe
1496	msedge.exe
1496	msedge.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
2920	saBSI.exe
1920	UnifiedStub-installer.exe
1920	UnifiedStub-installer.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
6304	UIHost.exe
5948	ServiceHost.exe
5948	ServiceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
7312	UndertaleDemo.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
6952	fltmc.exe
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	prod0.exe
Token: SeDebugPrivilege	1920	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	1920	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	1920	UnifiedStub-installer.exe
Token: SeDebugPrivilege	1920	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	7424	wevtutil.exe
Token: SeBackupPrivilege	7424	wevtutil.exe
Token: SeLoadDriverPrivilege	6952	fltmc.exe
Token: SeSecurityPrivilege	7780	wevtutil.exe
Token: SeBackupPrivilege	7780	wevtutil.exe
Token: SeDebugPrivilege	8184	rsWSC.exe
Token: SeDebugPrivilege	9040	rsWSC.exe
Token: SeDebugPrivilege	6804	rsEngineSvc.exe
Token: SeDebugPrivilege	6804	rsEngineSvc.exe
Token: SeDebugPrivilege	6804	rsEngineSvc.exe
Token: SeBackupPrivilege	6804	rsEngineSvc.exe
Token: SeRestorePrivilege	6804	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	6804	rsEngineSvc.exe
Token: SeDebugPrivilege	6868	rsEngineSvc.exe
Token: SeDebugPrivilege	6868	rsEngineSvc.exe
Token: SeDebugPrivilege	6868	rsEngineSvc.exe
Token: SeBackupPrivilege	6868	rsEngineSvc.exe
Token: SeRestorePrivilege	6868	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	6868	rsEngineSvc.exe
Token: SeDebugPrivilege	7264	rsEDRSvc.exe
Token: SeShutdownPrivilege	1920	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	1920	UnifiedStub-installer.exe
Token: SeDebugPrivilege	7264	rsEDRSvc.exe
Token: SeDebugPrivilege	7264	rsEDRSvc.exe
Token: SeShutdownPrivilege	6868	rsEngineSvc.exe
Token: SeCreatePagefilePrivilege	6868	rsEngineSvc.exe
Token: 33	1716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1716	AUDIODG.EXE
Token: SeDebugPrivilege	8680	rsHelper.exe
Token: SeDebugPrivilege	8680	rsHelper.exe
Token: SeDebugPrivilege	8680	rsHelper.exe
Token: SeBackupPrivilege	8680	rsHelper.exe
Token: SeRestorePrivilege	8680	rsHelper.exe
Token: SeLoadDriverPrivilege	8680	rsHelper.exe
Token: SeDebugPrivilege	1920	UnifiedStub-installer.exe
Token: SeDebugPrivilege	3952	rsVPNSvc.exe
Token: SeDebugPrivilege	3952	rsVPNSvc.exe
Token: SeDebugPrivilege	3952	rsVPNSvc.exe
Token: SeBackupPrivilege	3952	rsVPNSvc.exe
Token: SeRestorePrivilege	3952	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	3952	rsVPNSvc.exe
Token: SeDebugPrivilege	7576	rsVPNSvc.exe
Token: SeDebugPrivilege	7576	rsVPNSvc.exe
Token: SeDebugPrivilege	7576	rsVPNSvc.exe
Token: SeBackupPrivilege	7576	rsVPNSvc.exe
Token: SeRestorePrivilege	7576	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	7576	rsVPNSvc.exe
Token: SeDebugPrivilege	7576	rsVPNSvc.exe
Token: SeDebugPrivilege	7576	rsVPNSvc.exe
Token: SeBackupPrivilege	7576	rsVPNSvc.exe
Token: SeRestorePrivilege	7576	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	7576	rsVPNSvc.exe
Token: SeShutdownPrivilege	7576	rsVPNSvc.exe
Token: SeCreatePagefilePrivilege	7576	rsVPNSvc.exe
Token: SeShutdownPrivilege	4908	rsAppUI.exe
Token: SeCreatePagefilePrivilege	4908	rsAppUI.exe
Token: SeShutdownPrivilege	4908	rsAppUI.exe
Token: SeCreatePagefilePrivilege	4908	rsAppUI.exe
Token: SeShutdownPrivilege	4908	rsAppUI.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
4388	undertale_Cai-ys1.tmp
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
4908	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7296	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe
7080	rsAppUI.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4388	undertale_Cai-ys1.tmp
7312	UndertaleDemo.exe
7312	UndertaleDemo.exe
6436	OpenWith.exe
7312	UndertaleDemo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1972	2948	msedge.exe	82
PID 2948 wrote to memory of 1972	2948	msedge.exe	82
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 4136	2948	msedge.exe	83
PID 2948 wrote to memory of 1508	2948	msedge.exe	84
PID 2948 wrote to memory of 1508	2948	msedge.exe	84
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85
PID 2948 wrote to memory of 4468	2948	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://undertale.en.download.it/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff379446f8,0x7fff37944708,0x7fff37944718
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3400 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Users\Admin\Downloads\undertale_Cai-ys1.exe
  "C:\Users\Admin\Downloads\undertale_Cai-ys1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\is-O7OGU.tmp\undertale_Cai-ys1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O7OGU.tmp\undertale_Cai-ys1.tmp" /SL5="$B0172,1583588,832512,C:\Users\Admin\Downloads\undertale_Cai-ys1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod0.exe" -ip:"dui=32404286-a0b5-4a93-9620-6f13fd83251a&dit=20240919082222&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=em&se=true" -vp:"dui=32404286-a0b5-4a93-9620-6f13fd83251a&dit=20240919082222&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=32404286-a0b5-4a93-9620-6f13fd83251a&dit=20240919082222&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\vblwk4mg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vblwk4mg.exe" /silent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        Adds Run key to start application
        
        PID:6816
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:6836
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:5408
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7424
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:6952
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7780
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:8184
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:6776
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6804
        
        C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:8328
        
        C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:8440
        
        C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
        7⤵
        Adds Run key to start application
        
        PID:9596
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:9616
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:9668
        
        C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:9832
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
        7⤵
        Executes dropped EXE
        
        PID:9948
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
        7⤵
        Executes dropped EXE
        
        PID:10056
        
        C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:6988
  - - C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1084
      - C:\Program Files\McAfee\Temp1559897177\installer.exe
        
        "C:\Program Files\McAfee\Temp1559897177\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5288
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:8388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.download.it/?typ=1
      4⤵
      PID:4080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff379446f8,0x7fff37944708,0x7fff37944718
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 996
      4⤵
      Program crash
      PID:6856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 996
      4⤵
      Program crash
      PID:7508
- C:\Users\Admin\Downloads\undertale_Cai-ys1.exe
  "C:\Users\Admin\Downloads\undertale_Cai-ys1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\is-5JB3U.tmp\undertale_Cai-ys1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5JB3U.tmp\undertale_Cai-ys1.tmp" /SL5="$1001BE,1583588,832512,C:\Users\Admin\Downloads\undertale_Cai-ys1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13219031000141096529,5751636109455014019,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5384 /prefetch:2
  2⤵
  PID:7236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
1⤵
PID:5420

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5948
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:6304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:7072
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:8368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
    3⤵
    PID:8996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
    3⤵
    PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4388 -ip 4388
1⤵
PID:7488

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:9040

C:\Users\Admin\Downloads\undertale\UndertaleDemo.exe
"C:\Users\Admin\Downloads\undertale\UndertaleDemo.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7312

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7368

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:6868
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:8680
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:8564
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:7296
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,17238652717371464589,6573296171079358463,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1752 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7556
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2200,i,17238652717371464589,6573296171079358463,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6892
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2396,i,17238652717371464589,6573296171079358463,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2388 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7768
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3584,i,17238652717371464589,6573296171079358463,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:8168
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  - Executes dropped EXE
  PID:7304

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:7264

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:9108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1356

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7156

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:7576
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:6556
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4908
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2260 --field-trial-handle=2264,i,11751566461210713054,11747997866052080571,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8752
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2744 --field-trial-handle=2264,i,11751566461210713054,11747997866052080571,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7376
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2752 --field-trial-handle=2264,i,11751566461210713054,11747997866052080571,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:8676
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3836 --field-trial-handle=2264,i,11751566461210713054,11747997866052080571,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:8060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1256

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:9888

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10172

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8228
- \??\c:\program files\reasonlabs\DNS\ui\DNS.exe
  "c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:6076
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:7080
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2196 --field-trial-handle=2200,i,12886562946391711978,3564251849795940717,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5472
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2700 --field-trial-handle=2200,i,12886562946391711978,3564251849795940717,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4764
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2748 --field-trial-handle=2200,i,12886562946391711978,3564251849795940717,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:2488

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:8876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1559897177\analyticsmanager.cab

Filesize
1.8MB

MD5
97ed5ed031d2032e564ade812cf1a544

SHA1
cce815ae908c8bea62bce28353abc719fe5dc84e

SHA256
8c9ac5ebbf2bf6ef3f9de07276761bb77ecd5a122d92a6d6e82d110557bffbc9

SHA512
e407772ff7ff9d87332b51c622883ca483285df9ae888da323e2f7aee6c2a24b699e5c8350b0a80e5a5e9d643db140eb1ddd75355e0af0611c02e6b5b537db12

Download Submit
C:\Program Files\McAfee\Temp1559897177\analyticstelemetry.cab

Filesize
48KB

MD5
ef6a25aa170818e96580be4114d669e9

SHA1
d3d0f5c1689bd5a77edc8cbd1a9b5dc6b317c2c9

SHA256
2bb88fafa2cf6d1d98519128b7a3e449110ef1584cbbcfafefb170ba83fbe67e

SHA512
42a810570051fb4065b043cffd5990533bc5e1dbeee7091d670a194caab2b72c10b06d1c1f7678d211e0a48fae8b61abdd3afde63392fd47e9a5f28b76cb1f89

Download Submit
C:\Program Files\McAfee\Temp1559897177\browserhost.cab

Filesize
1.2MB

MD5
b94c9f0a975476dba3dcf710bb1bb7b9

SHA1
efa5029cca331cbd83d0fb4c234d937693872feb

SHA256
8101b720507bf30c6ff828cafd1c1babb4fc85261d76edf5f3c34b0a92a9ee35

SHA512
ec2fc2c84fc9ace25d7da2c869b1b61009df65fbf1aa503fc2feaa0db5dce094d9c8d4dcca5ce92c7ddf9960bcf19b235e0a7c5555977bcbe3e72c850dfc29b0

Download Submit
C:\Program Files\McAfee\Temp1559897177\browserplugin.cab

Filesize
4.8MB

MD5
832afd444a290e49ad5d5fa751976d8f

SHA1
01ce1adc9028335126fc01c1a98a7ea396e9f3ee

SHA256
ae40f7e07be60148aee4223fe8356782db4e6b67b0b463b89405519dd8ef1d85

SHA512
8c0625f122955e90c51f27cd35866ef901fa8e90ab048c3cc909f3e467225ddf64fdb3f67f56bd08a84bc48094ea27c09bef0fc7802e9e50e1da49ff35be3cb7

Download Submit
C:\Program Files\McAfee\Temp1559897177\eventmanager.cab

Filesize
1.5MB

MD5
a2311baf2020a4b4616c1c4084047dce

SHA1
3799c778f4f59b423274f0a21c1f37f45d6a3058

SHA256
80ef158b822de25a7fe4e72a404abeb0dabdad208972080681c0cd7f13fd882b

SHA512
28dddb497174f884061c68dfd8033b2eb7c32b3bdd46ee2e8fa9238a5036d71e71f37c9e8da0cec400be872ad8f5d91f88a68108614591b29c5f15212c2045c3

Download Submit
C:\Program Files\McAfee\Temp1559897177\installer.exe

Filesize
2.9MB

MD5
6908407fb5ea50408e55db7877f41f30

SHA1
1e46a4801ec4345e168d9902a0f85c56685e5e45

SHA256
c716dcd46f88edbf6d217f4740b79fe0a60530d68495959c41a3be82dcf8de4f

SHA512
c9528e0308847a6fd9f3fd29c7cdcca42189264b4a5233b4cca24cfeefa4f3b1ece1d1da62c7e158005195a158ecf83968b433a9129e534bcd55e8304103a8c4

Download Submit
C:\Program Files\McAfee\Temp1559897177\l10n.cab

Filesize
263KB

MD5
8f64d3b5cf2d9ca534d15869831b03c2

SHA1
dc2dbf02917f6caf5647c6518b46d6a9a3ab3848

SHA256
419c412f0675ca9c33dd4893ca8c6fc716da26fe2951c4de5586783ebdca7a39

SHA512
7ab79b6be288f312c00b5421a918059e48e16ecbd2956e80ed4246e273640533bf058ac19927ea85d76dd03b8fc25461d4f77453d871729ffc47b3c6317aa957

Download Submit
C:\Program Files\McAfee\Temp1559897177\logicmodule.cab

Filesize
1.5MB

MD5
5a20121cafcd42a5b9121c781109af48

SHA1
5dd56ee30b9d856cd3e362fa4047ee983d18ac48

SHA256
12a876cd938e3cc9d23bf35df7c1d3b9724a92a152f1fbe102dfe16de0f7b670

SHA512
96b5e4fe6ad9a9bd7cadfb1105f54357f916d0ff394d82a0d4b2faae9771f154ed5f6a52b632ab4d83dfedcfec9ddb26fc2299124b5edfa4165218cdbc2bac84

Download Submit
C:\Program Files\McAfee\Temp1559897177\logicscripts.cab

Filesize
50KB

MD5
22bbe35450299d96df0fd8162b2111b7

SHA1
7da76911803b392652f72f08a314b46e0aa062f6

SHA256
85baf880052a9e42c1b509f60be049bd3164a450a82fdd668d20e7210e1e9945

SHA512
673c4ce4405290746d9505115830783004b6d20b537693b45e30a243405bbc6c852587e2a78497846548dac85f6b58a1b68a0dcf93aeb3719407be135dbbd185

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
bd4e67c9b81a9b805890c6e8537b9118

SHA1
f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27

SHA256
916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8

SHA512
92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
388B

MD5
df6dc5c215aee2c259668e6774dff775

SHA1
06c0f3642e8f03454522cbd7cc77d7f9859f58e9

SHA256
77ba975e26d4cd48d5ac697cbb69598e8ae3e073086d9bcb07dbacbd4227d2a7

SHA512
586b24eb0a9c7fc26204f5c03d28dff5ab80a4fb6e87af337d82c1bf88392c1819f2ee485ddd586e64eb17819a060374a16563dca237e5e6f64e11c42e1b4df2

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
192KB

MD5
dfbdb770e1978ed8be16217b71d088cd

SHA1
5bfdae715d9c66c4616a6b3d1e45e9661a36f2c0

SHA256
04d18ccd404a7b20e5ae3a17ca9a01be54f82b511e349379677e7e62aa6a68b9

SHA512
7d4801250d8449d3fcbf714351fe86d64201ad22ecbfaa91588046bb1ef88f22912a58689876ac7b1f94e83047920893b488589d14accf4570e5c116c667ef12

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
98f80f3c8f85301f6f94fabd56f0b7ce

SHA1
175ba85e0a607c2f64d2a3a91e3b7c64cdc6df95

SHA256
46027ce3edd5cbe71265e1db4be6a3389fdf1a4cfa727aa2cedeebd1a964c9a6

SHA512
ed529e86cbc27f328dbbe63144678c317ce44a02c664396d0bb142d519c7729e5ff89f2e1494bcbd4af4dcba3be5918dec5f8b2805befd49654c6476466b2df0

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
c5e3c4ecdbd7ddd0c06d8c8ae7761d34

SHA1
6983cd963b04c1ba561e4f147ab3a70c1396a228

SHA256
48e25215d0210814dfd8db19dcd00c5fc73e3848ddb9c08c7166625654b7c985

SHA512
abf9c5fcc5d200ac9e1e926796e995570e672ff01ce526143f9dd4a1ad9d4939c642bcc5810ca41146ba37c49690c193de821358123f021348e5a7f4cdaddfbb

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
6KB

MD5
584395b71d0779c8cff963ba1cc6452b

SHA1
7656a8559fe0d813f6f12c66d59f6b95f462e679

SHA256
220c06cc1e4c05cffaabe8d1a70e081de692d2c52303eb9fc64d4629058176e6

SHA512
74fc0e5c0b1b9fa6d4427410662c0475550fe3a2080a46d91a3875c2acc5d0802ec025307b8b42e0b8a37636a7d140bbfeea8350cb53dbe29ab7a60b429c2cb4

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
e672f63d1fc753e28f6e924cf6555c4a

SHA1
31de134ded5ef8807829ccd9e93c570c70746885

SHA256
c721d24d5ff4f92bea217dedc9ef3869e788eabd45563071fde99a6860e26e39

SHA512
0cd90a7e87c531d197812d63aae630db5b6e140984c4ce01e54e4953c6faf423839ea5d0e2df5b2b909d475e8cb2bfc37706cdf7960fac7ffeda61d5e4a43543

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0687ee92-32ef-4c6c-8b10-21e77312fffb.tmp

Filesize
5KB

MD5
d10e6a04e974f5f17b53551776c5576b

SHA1
02c3edb5553a31d86b6db8e3d2381d711ba4db87

SHA256
c0f0353eee47f3a284e4b498daca54498ff1b55f032ca4f346ebe2e7829c84c5

SHA512
aaec80aa16e740988962b73e71fc3428cafb4e29cb5bbbea620a820beaf30906273a8652b45ea6cb90e095f468c13df2a9046d1bd767bd24e5457acccc9db575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\743a07be-508c-4d20-bbff-1fb67718dec0.tmp

Filesize
8KB

MD5
7f805911cd758624660def17f04ebbda

SHA1
c104de1250e04fc017a3fc664071a75b273aeb3c

SHA256
ab23fa8a7859463f8695c3dbb25714c472db94583b1ed59797dbcd33bb8bda48

SHA512
07a54e52dc00a2fca874ce2db6bd96354606913888fc7f1b0288d9dae7a366dd76b96886dd8af20f2660d31cca8916264f5d4a1a62dc05c08c8903010b3a19e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
16KB

MD5
f1f639347fc75f95882f350c19421e4e

SHA1
c5d3006d91dcfae8050d24626e53dfa0f1b79cb2

SHA256
e9cf22173be6f8dda7373869d82f6ddee30c7466f116c70208f958bbd92b39b5

SHA512
dd181d92510b56f467ec8997ab99d5ce1e30e9154ea8d40446daa38de21ef488c8fb66e7ea63860a5dffb424ad6e2e6ddf51209e729083f028c04e8c47134362

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
86eb5c044f0c9608b575420f3fd5c753

SHA1
d894ca4b72300f2c931dfba047878b111904cd1a

SHA256
7989b278a61f8aa15dbde7cf4cc11a0991302f9eb8e457c3b9232bffd8b4de75

SHA512
55b8f8084b9c45e964ef69ac12bd5f2fd4e548bfded68ca9cfe37b60281ac7199081f34646df2e1ecec63e8b8d836e533486c78ff10b4f2c55e7809a5e3ed122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
30KB

MD5
93babd0d47aa9ec1732ced250bfec0d6

SHA1
6f23859b152582d53a9d18ffe455992a311b8318

SHA256
d0a24e45e9147d4c8a3bf19be35dcc8ef912e3b0957143088a02ebf0577dfaae

SHA512
6fa41aa72dbdc07d895f7f17ca71cf91af4cf9affc643b8790adcdee32d11539c46a64c9f82fabd5ba2454c8397fc0efde09e162b5de98ce526e27e860d4edb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
7091e5fa567092375d2811bf88e6b833

SHA1
16c7f9a75d1c0624b5d23561abf08fbb250c7947

SHA256
7209537a2271d1f76360d7764e72602137c21b0d0cdd49440985c33dd690e451

SHA512
6d7ec66fd0aa2cd9e42aff4f2f64458bcc93e1b40c7b139a53da733bbe38a6032a1ad738a3920c6d5a9caa7b520b9c0498d1c608d3bb4bf74e7900d15a3f1b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
75KB

MD5
1dd147244c3f794ed0faa8fa0132fc58

SHA1
e98159c3a7a3e7456c8ed23695429b5b480fbb6a

SHA256
0b961b4ac872dfec2ac219da32dade4d4034775a9f319288ad68da003bc6eb42

SHA512
f92f425069de981ece8d563666751440969e270fa960c29b9c1c81a54e2cb8f6df42876475704c54c7c04004d2942d6b0452e4e86fd90f17514e241c8fb5c7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
51KB

MD5
e06c1dbbe0acac772dccd0cc7b9ac0aa

SHA1
e36fbf6d5fe5dc72001328a5fe39a021372c8fcd

SHA256
f964e27e6536807e9eed71247c6d73f14e5cf947345907b37e1642f364be3806

SHA512
f9dd5531bc418add18ace4241095bb7341c1192c22f377046ac91fd3e9088a260d2ec8d1495f7472c560072bda275f9c7e6467c1b0e8e527553cdc8d34bd33a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
96KB

MD5
510bc83442745f129fbae896108e3b2d

SHA1
bd6df64000b014288ac4abd8a04603e731b871a3

SHA256
f24ff36a5bd0be6d16b4f941c34cafad411dcc970e5830a09b7688e76757cb62

SHA512
ad9e06ef9232cec4112e0207fb6059ff06d81d0b67d5a2fb2e5885c9851d016eaa9964585c8c1d3004c2ee204647be020eacba17a29e893734f29ceaf4613106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
139KB

MD5
aa6f0c33ebde59b6e1062943e5b8680e

SHA1
7294bc12f84e37d6722aaa9470cf086c285667a1

SHA256
e24bdd8cfb8c96a9ce4ec7cf99394e0e69c6c57966d46e71f631a6fe1403dde0

SHA512
900a522e3e92b9c635f51a60614e0fa34a1c0ed248f9866b0be1f8ff16b1733f6deb16d5095e4eb2f8473352c632a7b06ab7a01e16cb2738a0f37a86469036a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
dc4c949fa28c5a7cbdbd711139ebfc32

SHA1
2722ee26ab881606d6ba791c9f543c584e4a1de2

SHA256
ded803f78589bbc7239921922f4383666606e966c033ee28a486af59f82914a8

SHA512
f81a4108f7742d032b39e0d5ea09be4f09f1c856e510efb3feb4dc988c3ee0867a2fd9c0a802bb15e4336bef1caae46cdf1011697ccfd3d47ad79ea9dc16c5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
20KB

MD5
bbd52204d8f4e333b83bbcfbd3d4fc6d

SHA1
1b9888fcdcaa8f260457d33f9e461206de92d345

SHA256
67c86cd1e2be5be9db47f2b5f47b222be113fb13fda160f61740847fc9cd4e9e

SHA512
10d22dfc49f5cddb320012d49d793c9f3e149f746078ed632d9570dd417173fcbf15c9425c4d6232d2d25a6ee9e353f41c32671d3b22ac26aecd8279eacd9d27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
64KB

MD5
add9dce7c4828801f845ec416c87e8fc

SHA1
8104424a0917352036ef9b6fe8dc103b72222147

SHA256
db35d419b0e9445f031d0fc0532a5d177f3031d969cb6dec1b1ebbcd3b418f23

SHA512
df2cb96c1b1277ec9ee1a56e3e378183659193e9c33923d5fecea04acf2d3c74f95ab3bdbdcd310a87493d92c049826cec65842daa07c9c8a80d2aee35e5bc1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
20KB

MD5
aac67bece45ce8383387b4729b62147e

SHA1
2b8c2f23699460ed5d190e4b6896ef12d58ab0cb

SHA256
6012590eb665eacde75a99d23d7751de686c65e15275c4b30b7209e92a09481d

SHA512
38364475d8808cf807e75ebde81ab383d30b137cf4a92f6fcebf8cdecc780c1508dcbe299f970a80bca245c333e341718b773218cfb86fa3241d53158bb892bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
9536f065bf9951671dea1d65c41e4aab

SHA1
8d230e549b93c80b1851aacf7f1b8e2b92e0ed60

SHA256
bde1ef608bbb566c4dc8b0adb4a1832c6e3ddfdbf105bb10aa70a726fda7ac0f

SHA512
9fc20373f6e1bdf53a29627fc5b50fed3ca078152cba7fa7b1169f7bbe7106dd554bacd7f3488dca58e26cd9baa6af60d72963ff4195d3f46bfc290786bfc19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
82022fbbbd896ebca80aa07e8e367bd3

SHA1
8995737f1a8a0629a49036405fe8cb830ec30ae6

SHA256
70d856fcd41355eedfab64ca70537265d12910af17a02a3bb1e82b7805d59296

SHA512
35043088665fda972f062265bf12bfc5a9621f5ae1ac9d774e52cfea0e8c1f0f03c55f0c7ae798a412dd277880367578300c13a5f29ca7b4722851811228304d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9f33fddfef39fc7597603ff3dfdf5cab

SHA1
6bda2bb45062227a9a1e081689c40c42d8873a7f

SHA256
7bd437bb1b921c25928e193aa0bd24a4894ff438f68ee9c30d15a5bef6366d1a

SHA512
84c5834ed50d31431fc9978a0386b020bbb3f7858638d0ba781209e04084ded4319dc30cc9ed468e5d8e54ef511c7193fea08b9b9083fd7407e30ab652c3d502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a5cf58c232bc19649381eb7b94160492

SHA1
e8b941c55e3c84da8b2a0bd4c8bb83ef009276c4

SHA256
f5317b3c270032407b68ab51774ac9186f5dca06b9453bcf75cf0eb3b1a3885f

SHA512
561372d014778944fb0bfcf04bd078e099ffab467af68062939c9ac41e19e691e66dd589b3759ebff6acb5a9d45b7fdde85f0fab3e11444631f088a5e71eabc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4ba85ed297c4f79a3ee764bf62270519

SHA1
899315269d4f6934016883434a257d949c75e116

SHA256
6174124b0f4dc222b65a95ba20b6c976ae0d42971e5392f966981888374e40c8

SHA512
5b608d95ebba9ac195c80c6176221935e44fa1b25a3079114eada5441018fc8e3ee40128c52365c6f03a59ef64f6fbb4401d1f8cfb7fd6033406a5f82cafc334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
90c36558076c81f2978e8bf88458afaf

SHA1
86fab6828635517d637cda87425e701c19180b99

SHA256
fabf7f9a9c8052efaccbe1d385cb24ebfcb452083c136699fcbc1563ec662fce

SHA512
6f48317d86dbf41a62a5c1a88d0a754a7f80913bcc581ff08aaa47a31ba27333bb2c4db50bcd848a71e2b104beae03ef6de0d23d3fdbf110ac48ac97d5726b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9f869b90aee025cf878bac3469a2d70a

SHA1
aab97d1df6b4f98ea338fb7713cea194180c2c2e

SHA256
5c8ce9cad96a55406aa9a7f6a4d82c1c489f70c87e84223d0215626691352a00

SHA512
adedbcab7e0d0a4e04b3a99cf5a9b2134549ae2295e94b9147faee3650e9d40aae852135812cffe11763cb39594cc80ae9ec99caa78081e2ae6775004d8ba98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
67b095b2dbf551e6856f70f048b4484d

SHA1
dcdfb5ec62877ba11072eadf4c4507882692b40c

SHA256
8dd568664fb1712305dca66f18a68da8bde82e5d365a7057a8ee7ed34450afb8

SHA512
fc6de376ea8f1a0085dafdf50347b1ac6e083df32a2e9841e5be004454f34af1869bc4700596583fb22f41d84ac5ffd69f8bb7a46aca32fcbc88690282d60d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1f6a27e76c747ac8f6d63613bedebbfb

SHA1
0621cdf6c354d3e204e6e0801785da0830d28e87

SHA256
c033086f185c2b961110c16f20766d607aa776e70b8bcfeb887856a50686046a

SHA512
1df8f6cda3a27a87c1cb9a2426aeafa920c7ea00db06bbe53f7ce9e17c12b494649e998525ea27a30d3bc5c5c075642a673697c2c6c08b56b660ede83161f0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
1cb239e3a1f05adc360d73db581cf9ed

SHA1
d0ebc2c6b68b9669aecf1b659195d022ce822e48

SHA256
7b0e146e390f69395d1faed1779738045764c528cecb72a6a9950e338fc35fee

SHA512
3e7d4e84220aca806fdd4886188d55f666b3a736c7b2e101568a61c5133ba1b5d6daf41772de6768c7c477a2f585d2d852fb01e14b8747b79c27ec701ee11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57beeb.TMP

Filesize
538B

MD5
40ddae84f23d6a45b6cbd3ffa82fd299

SHA1
53b415094193b54a6a363abc0564e51df612572f

SHA256
7e215e811fce79cd9ac47d62db54a76de19e2afc445f74b33ffb9adb11ae481e

SHA512
378e4be20c665f6945c0f14d397b570bebb17e82216f4188c9e5ef05a727aee9978b23b77a0325c48a59361b0c0b60f07be27ad2fdc3b6bde3f617387d5acf19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e4b656548380f657b77a16ccb1b772c5

SHA1
8d54bcba45c8b4b6f8385b36116b65b791aa655a

SHA256
0aa5d7f926584f3153f354e9b220231e2148084026dda5d58d8199cfa17592db

SHA512
cb2c576fc32e0fb14015a21ebfc073b6d281562574dd416a866be4edf9e572f6a47672bc0002bc6fd6dcc6cdd0390e92fc56d9a55224d57b75fefc81e23aec73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8904dae5b83492d320e111e965278037

SHA1
1c80608088b033f096e584a92b9e37a44e3ce814

SHA256
e68f34d7b1e74422d878c752950ce2d7d6b35034bf258d409abae8be66831a62

SHA512
1947f5cef3beb604e567d043fc36ce4a0ceafbbfb9475435bed3bbea05d3f0ec12a2ac57664f1145e99df89a92f65b184c8349e9e9962e412478810667951524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15246bc84538858ed6686eb19c41134a

SHA1
1ea847d608cec7d0a161a4927509c54259aa537a

SHA256
aa129658db90d790850f0535285e6627c406b32b35bca500918dfadf2769f30d

SHA512
8fcf7eb0d6ce92acd5d437161d4da40dbb8f70662ba452886c7cfb1d0f01c52561236dbdd5817f5999200e5bbc3230ee7ac923062aa3930ae035ea4a330b5890

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\23d7e808-9995-44db-a4f3-0c315de94ad8\UnifiedStub-installer.exe\assembly\dl3\4be189dd\59959f37_6d0adb01\rsJSON.DLL

Filesize
216KB

MD5
7dd406fa2b496d691f866eddc790d6cc

SHA1
692422b46102af2ab31f7902a970c912a2ba000d

SHA256
bd7b33b101f222846b09f057bc54bc586ed5da63fe189e9ab19bcc43ecf85956

SHA512
c8ac9e9491f6695de1d9c3fee1ddbdd0261b8e32928bc228858021851fed501cb6b12adc5dc282e703a1e8efdf372073c1794f202943149e7320831846708979

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\23d7e808-9995-44db-a4f3-0c315de94ad8\UnifiedStub-installer.exe\assembly\dl3\57fcb725\0bbd9f37_6d0adb01\rsLogger.DLL

Filesize
178KB

MD5
2f2164b351afc5d08420257cd32b9c4e

SHA1
1ea3c935c7c72a94f863e7dbe7dacccd39980970

SHA256
ec54e4f32f3ea10486839080cffb4c13aecf12b278622bf048f5b5fa64c98437

SHA512
949179ceef6995b3c9692110b22cf07fb7f187adbb22a78b15d239b93fc12c461ca1008c3cbc87c62fd68e1482a10710fea40679b3e82a11ca5fdec6df6174fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\23d7e808-9995-44db-a4f3-0c315de94ad8\UnifiedStub-installer.exe\assembly\dl3\58044087\00419637_6d0adb01\rsAtom.DLL

Filesize
157KB

MD5
4bc064996097db51318511ed2566851d

SHA1
413e6d0217172bc1a86d1c916dc575d080d7ff3f

SHA256
1caf633d64246a4a0597232c7fb87f2b8a3e35648f3d30f575cbc69249959203

SHA512
332dfe6c28d932d8d4868432edded14fe816f17d80d9c543da0ce3cf87f796e70acb1a0c8a3e1653c5f9994834c17b972047cc8679508634217362e7205f281e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\23d7e808-9995-44db-a4f3-0c315de94ad8\UnifiedStub-installer.exe\assembly\dl3\9e9b6654\0bbd9f37_6d0adb01\rsServiceController.DLL

Filesize
173KB

MD5
068958f78fab4b76e5196051df3af162

SHA1
6f7489e40d3c48b922511622238fdb8383560ac3

SHA256
c3009c36e9353ee749a69b1569efc81b91dc1e7af403c8742787a412a7429aa8

SHA512
8a7daf88049912f00434b0cc239bad4b07682532d96a9f3e30e2f1cdb33e0441e2e7742ab727854f7b9372d4168ebd24af5350b0ee36247719c026e018975e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5622a387-e8bd-43ed-86c7-ca3f3ff887ca\UnifiedStub-installer.exe\assembly\dl3\18a0799f\6fa7a744_6d0adb01\rsJSON.DLL

Filesize
216KB

MD5
fc1389953c0615649a6dbd09ebfb5f4f

SHA1
dee3fd5cb018b18b5bdc58c4963d636cfde9b5cc

SHA256
cb817aa3c98f725c01ec58621415df56bb8c699aaed8665929800efb9593fcc0

SHA512
7f5a61dd1f621a539ed99b68da00552e0cda5ad24b61e7dbf223a3697e73e18970e263fda889c08c3c61252c844a49c54c4705e1f3232274cbe787a3dbd34542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5622a387-e8bd-43ed-86c7-ca3f3ff887ca\UnifiedStub-installer.exe\assembly\dl3\1e361415\f22e8fd7_7ce2da01\__AssemblyInfo__.ini

Filesize
176B

MD5
2ae4652bdb871fd27b223ba2d511207e

SHA1
60dde0ca365ea122bd51cbd0f6eec89de091a2a6

SHA256
1395dad604a26f24ea79a65752a1d8e5902cc6e8930a15e749bfb62f22564dbf

SHA512
a650a3c8114552a73aee3ee2b270ed513ea0f1508cfae4f3cd932d8808e41d0b2ade09c7f2823a7b6366345c94101539fe42ada3c468ef84d7dc267cd93d13c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5622a387-e8bd-43ed-86c7-ca3f3ff887ca\UnifiedStub-installer.exe\assembly\dl3\8bea7639\31fda344_6d0adb01\rsAtom.DLL

Filesize
157KB

MD5
1b29492a6f717d23faaaa049a74e3d6e

SHA1
7d918a8379444f99092fe407d4ddf53f4e58feb5

SHA256
01c8197b9ca584e01e2532fad161c98b5bde7e90c33003c8d8a95128b68929c0

SHA512
25c07f3d66287ff0dfb9a358abb790cadbabe583d591c0976ea7f6d44e135be72605fa911cc4871b1bd26f17e13d366d2b78ce01e004263cbe0e6717f822c4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5622a387-e8bd-43ed-86c7-ca3f3ff887ca\UnifiedStub-installer.exe\assembly\dl3\e35e88fb\3ad0a744_6d0adb01\rsServiceController.DLL

Filesize
173KB

MD5
860ced15986dbdc0a45faf99543b32f8

SHA1
060f41386085062592aed9c856278096180208de

SHA256
6113bd5364af85fd4251e6fa416a190a7636ac300618af74876200f21249e58a

SHA512
d84a94673a8aa84f35efb1242e20775f6e099f860a8f1fe53ba8d3aebffd842499c7ac4d0088a4cded14bd45dad8534d824c5282668ca4a151ac28617334a823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5ae8aece-71ef-4d37-9c6a-6794ce842394\UnifiedStub-installer.exe\assembly\dl3\39aeb771\1330512b_6d0adb01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5ae8aece-71ef-4d37-9c6a-6794ce842394\UnifiedStub-installer.exe\assembly\dl3\8c5c01c8\1330512b_6d0adb01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5ae8aece-71ef-4d37-9c6a-6794ce842394\UnifiedStub-installer.exe\assembly\dl3\94238c50\1330512b_6d0adb01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\5ae8aece-71ef-4d37-9c6a-6794ce842394\UnifiedStub-installer.exe\assembly\dl3\babe88cd\b26a4c2b_6d0adb01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS47F2FBB8\uninstall-epp.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\944b4b93-4f88-4e66-aff7-8d99ce087d54.tmp.ico

Filesize
278KB

MD5
ce47ffa45262e16ea4b64f800985c003

SHA1
cb85f6ddda1e857eff6fda7745bb27b68752fc0e

SHA256
d7c1f9c02798c362f09e66876ab6fc098f59e85b29125f0ef86080c27b56b919

SHA512
49255af3513a582c6b330af4bbe8b00bbda49289935eafa580992c84ecd0dfcfffdfa5ce903e5446c1698c4cffdbb714830d214367169903921840d8ca7ffc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5JB3U.tmp\undertale_Cai-ys1.tmp

Filesize
3.1MB

MD5
02b1d8ff84bcd4ebcb01156636269b99

SHA1
15ba86430b90264da7d9f2c05be57c56640d4ba9

SHA256
a6497ddddd577caefe5a39958a604f9ee4bfe93e9da285b147ba6fc6788e75ca

SHA512
640227915b78fb8e0fd8e6a6ca883e4ed4e3fa45524fca5a9344c067840b3fc11c7b98fd05351eabaee3d4afa21711dc0999175cbc154d13b02135706ef5b47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\loader.gif

Filesize
10KB

MD5
12d7fd91a06cee2d0e76abe0485036ee

SHA1
2bf1f86cc5f66401876d4e0e68af8181da9366ac

SHA256
a6192b9a3fa5db9917aef72d651b7ad8fd8ccb9b53f3ad99d7c46701d00c78cb

SHA512
17ab033d3518bd6d567f7185a3f1185410669062d5ec0a0b046a3a9e8a82ee8f8adb90b806542c5892fc1c01dd3397ea485ebc86e4d398f754c40daf3c333edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\mainlogo.png

Filesize
7KB

MD5
60ec543674ac82f5f32d6de542f866f6

SHA1
cae7a8f8701276f4f017ea13c9403f8785f5917f

SHA256
b38f25875e4e8f069d2ff6af3ff2caa49b2509ab64f72a04682ff2ed46b991e4

SHA512
532bb5d926c82a208ee6152a9b7f96ebd2456df2c16a3963e363f5bed7babcc0bb33a8973b114edbcce48fcb0cc9c7aa37c809a62bbe62c7952596f59213da7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod0.exe

Filesize
32KB

MD5
bafdf6508fcd6188b66ed24eadf16efc

SHA1
289ca4c6a7a526d20838284622d84a12311196a5

SHA256
c41617696c359fdc830ab2b39539c3dc77a107d2b264d90885f8adc92a6e4d75

SHA512
61c8ee30ac5983ab1fd49ead3efc22f6fa9d9a43c42c56254f82d71bdeabd1def4a55444794e0203339173e08c802d13eee08cd416f8bc22cecbe828c52c1e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\installer.exe

Filesize
24.4MB

MD5
4a547fd0a6622b640dad0d83ca63bd37

SHA1
6dd7b59010cc73581952bd5f1924dca3d6e7bea5

SHA256
a5be5403eb217883643adba57c83b7c4b0db34faf503cc1167b2c73ce54919d5

SHA512
dd1c6d7410d9fca5ce3d0be0eb90b87a811c7f07cba93e2c5d6855c692caec63feec6b8385e79baa4f503cac955e5331fac99936aa1668c127f3fc1ffccb3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C5ED2.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwaCD8C.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vblwk4mg.exe

Filesize
2.4MB

MD5
03dc937b05f19490f037caa92ad032e5

SHA1
8aa85be1568429d7e3e3cc8d45a5074133fc8504

SHA256
ba3a5665f8810328917af0a184b457826cd5e754213a86bb48eac2ce5826b154

SHA512
5a962857e9195106e35f4117e2136a929ce90da7a736d0457b84b2ba5076042fe116fe1d1492edd89c886e23bd75f3417fba51a0648b655e6b1f2939981586d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\1ec84a1e-c7fb-4fc7-baaf-8c8545faf30d.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\14afb9c6-bdd1-416c-bb78-2fa92ab62e15.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\Network Persistent State

Filesize
300B

MD5
28f3ec3a0089f95579bdc2cb0180ef40

SHA1
25d84b2d206328d55b50fd550625d780a4dd6937

SHA256
64f2ce975481410cffbe1841cc97bd89895c8ffe10a02b24125ee8357a053bae

SHA512
eddc520b67f4254c7ec5f3917f7196ab6e207cecc74287e85a672d667035800523d8fd8b7d9c3c7b87562783b13b2d5db0a07ec03436f616b0ad9efb451d79db

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Network\Network Persistent State

Filesize
500B

MD5
bdf0dad8a173b90e2df665f7431771f5

SHA1
53bf2e02914d90eb0b0f960cb6e5ef3a4247ec0f

SHA256
16bdedcaa4e391cc8eead2c0224cf122d9a1178208485bb9cbe44b6c8e20df9b

SHA512
a814a7ff6732f64206877414fa616e92cc055c8fe60359f7462b11af7d636db9a8cc8512d450155d5b6dbee8d0484a3999640392a2ef8ad303fdd8f603f5afd0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 927560.crdownload

Filesize
2.4MB

MD5
4cef35cb56164e4427c8890cf5cdfd85

SHA1
242815e66819f32d46c37a57ed707030f57ca2c2

SHA256
564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6

SHA512
10d9755fda076e6f363a13bafbd186f7161b434d54165057b06c6ec0f1b8292444bc90cd558048b228be0d5e46ebd3c99ae379bb71c27ee300224d7d9eb1200f

Download Submit
C:\Users\Admin\Downloads\undertale.zip

Filesize
24.3MB

MD5
e569a8f34b53d2e0abbc7f935346ddce

SHA1
ffac74fab7d94a14165f5117c636eaed66cfc6d2

SHA256
5ec38c1600152b720fd4d0700e8ea226083d40e0b4c4e13243a215738ccfb837

SHA512
5a93dfe953ac52611be73fcb18f241e6fe8d5d2a803572d26c47c7084337855d0edeb1edd88d16ba07137526623a2fa13f4c4ea84d821436d70ec71288bf80d1

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729

Filesize
2KB

MD5
30c19e79ed3edc3f9b7129f135224127

SHA1
e392d6d70b288c21c3375e31372ac7fb415de6c3

SHA256
b2ae4be5c0112a59571103aec6d25c3e1d8bd0e4026a5de46c4149be449311cf

SHA512
a55afbc9d5fa841de86391cdbc3592579f1fc4ac53a1b55a062d6f01cf05015b560b79f356e68938d6cb744206403d7852ec2a35a0c69d3d7b3988c4ddfd127d

Download Submit
memory/932-447-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/932-484-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/932-479-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1920-4875-0x0000016C3B9E0000-0x0000016C3BA10000-memory.dmp

Filesize
192KB

Download
memory/1920-4890-0x0000016C3B9E0000-0x0000016C3BA0E000-memory.dmp

Filesize
184KB

Download
memory/1920-747-0x0000016C3B2E0000-0x0000016C3B392000-memory.dmp

Filesize
712KB

Download
memory/1920-5720-0x0000016C3A810000-0x0000016C3A85E000-memory.dmp

Filesize
312KB

Download
memory/1920-7062-0x0000016C3A8F0000-0x0000016C3A928000-memory.dmp

Filesize
224KB

Download
memory/1920-750-0x0000016C3B220000-0x0000016C3B24E000-memory.dmp

Filesize
184KB

Download
memory/1920-7070-0x0000016C3A8F0000-0x0000016C3A920000-memory.dmp

Filesize
192KB

Download
memory/1920-745-0x0000016C22780000-0x0000016C227B0000-memory.dmp

Filesize
192KB

Download
memory/1920-755-0x0000016C3B5A0000-0x0000016C3B5F8000-memory.dmp

Filesize
352KB

Download
memory/1920-7077-0x0000016C3A9A0000-0x0000016C3A9CA000-memory.dmp

Filesize
168KB

Download
memory/1920-4905-0x0000016C3BAC0000-0x0000016C3BAF0000-memory.dmp

Filesize
192KB

Download
memory/1920-7085-0x0000016C3AA80000-0x0000016C3AAAE000-memory.dmp

Filesize
184KB

Download
memory/1920-748-0x0000016C3B030000-0x0000016C3B052000-memory.dmp

Filesize
136KB

Download
memory/1920-4864-0x0000016C3B9E0000-0x0000016C3BA1A000-memory.dmp

Filesize
232KB

Download
memory/1920-743-0x0000016C3AFE0000-0x0000016C3B026000-memory.dmp

Filesize
280KB

Download
memory/1920-741-0x0000016C20AE0000-0x0000016C20BEC000-memory.dmp

Filesize
1.0MB

Download
memory/1920-3147-0x0000016C3B790000-0x0000016C3B7E0000-memory.dmp

Filesize
320KB

Download
memory/1920-3186-0x0000016C3B980000-0x0000016C3B9D8000-memory.dmp

Filesize
352KB

Download
memory/2784-482-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2784-480-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3012-478-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3012-444-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4388-510-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4388-522-0x0000000002E50000-0x0000000002F90000-memory.dmp

Filesize
1.2MB

Download
memory/4388-481-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4388-507-0x0000000002E50000-0x0000000002F90000-memory.dmp

Filesize
1.2MB

Download
memory/4388-797-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4388-526-0x0000000002E50000-0x0000000002F90000-memory.dmp

Filesize
1.2MB

Download
memory/4388-614-0x0000000002E50000-0x0000000002F90000-memory.dmp

Filesize
1.2MB

Download
memory/4388-528-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4580-572-0x0000023AD6D50000-0x0000023AD6D58000-memory.dmp

Filesize
32KB

Download
memory/4580-573-0x0000023AF1660000-0x0000023AF1B88000-memory.dmp

Filesize
5.2MB

Download
memory/5288-1027-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1030-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1041-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1039-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1038-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1037-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1021-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1067-0x00007FF6AF9F0000-0x00007FF6AFA00000-memory.dmp

Filesize
64KB

Download
memory/5288-1023-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1007-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1006-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1012-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1074-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1005-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1036-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1028-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1035-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1031-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1077-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1051-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1034-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1033-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1032-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1040-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1161-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1029-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1081-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1026-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1155-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1019-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1025-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1079-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1152-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1151-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1149-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1134-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1132-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1130-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1112-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1097-0x00007FF6B0120000-0x00007FF6B0130000-memory.dmp

Filesize
64KB

Download
memory/5288-1105-0x00007FF6CDF90000-0x00007FF6CDFA0000-memory.dmp

Filesize
64KB

Download
memory/5288-1004-0x00007FF6D8C90000-0x00007FF6D8CA0000-memory.dmp

Filesize
64KB

Download
memory/6804-5007-0x00000231E81E0000-0x00000231E8438000-memory.dmp

Filesize
2.3MB

Download
memory/6804-4993-0x00000231E7D50000-0x00000231E7D94000-memory.dmp

Filesize
272KB

Download
memory/6804-4983-0x00000231CD6E0000-0x00000231CD72A000-memory.dmp

Filesize
296KB

Download
memory/6804-4982-0x00000231CDCB0000-0x00000231CDCD8000-memory.dmp

Filesize
160KB

Download
memory/6804-4981-0x00000231CF4B0000-0x00000231CF50A000-memory.dmp

Filesize
360KB

Download
memory/6804-4971-0x00000231CD6E0000-0x00000231CD72A000-memory.dmp

Filesize
296KB

Download
memory/6868-5223-0x000001C36EA20000-0x000001C36EA54000-memory.dmp

Filesize
208KB

Download
memory/6868-5222-0x000001C36EAE0000-0x000001C36EB92000-memory.dmp

Filesize
712KB

Download
memory/6868-5011-0x000001C36DE80000-0x000001C36DEB8000-memory.dmp

Filesize
224KB

Download
memory/6868-5012-0x000001C36DF50000-0x000001C36DFD8000-memory.dmp

Filesize
544KB

Download
memory/6868-5232-0x000001C36EC10000-0x000001C36EC52000-memory.dmp

Filesize
264KB

Download
memory/6868-5233-0x000001C370BD0000-0x000001C370E50000-memory.dmp

Filesize
2.5MB

Download
memory/6868-5013-0x000001C36DE40000-0x000001C36DE6A000-memory.dmp

Filesize
168KB

Download
memory/6868-5344-0x000001C36EAA0000-0x000001C36EAD2000-memory.dmp

Filesize
200KB

Download
memory/6868-5349-0x000001C36EF40000-0x000001C36EF66000-memory.dmp

Filesize
152KB

Download
memory/6868-5348-0x000001C36E2B0000-0x000001C36E2B8000-memory.dmp

Filesize
32KB

Download
memory/6868-5352-0x000001C36EF70000-0x000001C36EF98000-memory.dmp

Filesize
160KB

Download
memory/6868-5354-0x000001C36EFD0000-0x000001C36F002000-memory.dmp

Filesize
200KB

Download
memory/6868-5357-0x000001C3702E0000-0x000001C37030C000-memory.dmp

Filesize
176KB

Download
memory/6868-5359-0x000001C370380000-0x000001C3703E8000-memory.dmp

Filesize
416KB

Download
memory/6868-5360-0x000001C370470000-0x000001C3704F0000-memory.dmp

Filesize
512KB

Download
memory/6868-5361-0x000001C3704F0000-0x000001C370566000-memory.dmp

Filesize
472KB

Download
memory/6868-5364-0x000001C370570000-0x000001C3705C4000-memory.dmp

Filesize
336KB

Download
memory/6868-5367-0x000001C370340000-0x000001C370374000-memory.dmp

Filesize
208KB

Download
memory/6868-5366-0x000001C370310000-0x000001C37033A000-memory.dmp

Filesize
168KB

Download
memory/6868-5368-0x000001C370440000-0x000001C37046C000-memory.dmp

Filesize
176KB

Download
memory/6868-5371-0x000001C370FD0000-0x000001C371146000-memory.dmp

Filesize
1.5MB

Download
memory/6868-5373-0x000001C3705D0000-0x000001C3705FA000-memory.dmp

Filesize
168KB

Download
memory/6868-5387-0x000001C371150000-0x000001C371250000-memory.dmp

Filesize
1024KB

Download
memory/6868-5400-0x000001C370EB0000-0x000001C370F04000-memory.dmp

Filesize
336KB

Download
memory/6868-5403-0x000001C370E50000-0x000001C370E78000-memory.dmp

Filesize
160KB

Download
memory/6868-5405-0x000001C370E80000-0x000001C370EA8000-memory.dmp

Filesize
160KB

Download
memory/6868-5014-0x000001C36DFE0000-0x000001C36E058000-memory.dmp

Filesize
480KB

Download
memory/6868-5015-0x000001C36DF00000-0x000001C36DF32000-memory.dmp

Filesize
200KB

Download
memory/6868-5226-0x000001C36EBA0000-0x000001C36EC06000-memory.dmp

Filesize
408KB

Download
memory/6868-5135-0x000001C36DEC0000-0x000001C36DEEE000-memory.dmp

Filesize
184KB

Download
memory/6868-5137-0x000001C36E060000-0x000001C36E088000-memory.dmp

Filesize
160KB

Download
memory/6868-5139-0x000001C36E090000-0x000001C36E0B4000-memory.dmp

Filesize
144KB

Download
memory/6868-5224-0x000001C36E330000-0x000001C36E35A000-memory.dmp

Filesize
168KB

Download
memory/6868-5141-0x000001C36E0C0000-0x000001C36E0E6000-memory.dmp

Filesize
152KB

Download
memory/6868-5154-0x000001C36E400000-0x000001C36E6A8000-memory.dmp

Filesize
2.7MB

Download
memory/6868-7061-0x000001C36EA90000-0x000001C36EA98000-memory.dmp

Filesize
32KB

Download
memory/6868-5229-0x000001C370620000-0x000001C370BC4000-memory.dmp

Filesize
5.6MB

Download
memory/6868-7068-0x000001C3713A0000-0x000001C3713C4000-memory.dmp

Filesize
144KB

Download
memory/6868-5168-0x000001C36E0F0000-0x000001C36E120000-memory.dmp

Filesize
192KB

Download
memory/6868-5216-0x000001C36D730000-0x000001C36D756000-memory.dmp

Filesize
152KB

Download
memory/6868-5215-0x000001C36E370000-0x000001C36E3AA000-memory.dmp

Filesize
232KB

Download
memory/6868-5190-0x000001C36ECB0000-0x000001C36EF36000-memory.dmp

Filesize
2.5MB

Download
memory/6868-5203-0x000001C36E2C0000-0x000001C36E326000-memory.dmp

Filesize
408KB

Download
memory/6868-5172-0x000001C36E190000-0x000001C36E1DF000-memory.dmp

Filesize
316KB

Download
memory/6868-5170-0x000001C36E1F0000-0x000001C36E24E000-memory.dmp

Filesize
376KB

Download
memory/6868-5171-0x000001C36E6B0000-0x000001C36EA19000-memory.dmp

Filesize
3.4MB

Download
memory/7264-5225-0x0000021B3C830000-0x0000021B3C88E000-memory.dmp

Filesize
376KB

Download
memory/7264-5169-0x0000021B23D60000-0x0000021B23D8E000-memory.dmp

Filesize
184KB

Download
memory/7264-5221-0x0000021B3CF80000-0x0000021B3D270000-memory.dmp

Filesize
2.9MB

Download
memory/7264-5231-0x0000021B3D3B0000-0x0000021B3D3BA000-memory.dmp

Filesize
40KB

Download
memory/7264-5230-0x0000021B3D3A0000-0x0000021B3D3A8000-memory.dmp

Filesize
32KB

Download
memory/7264-5239-0x0000021B3EF70000-0x0000021B3EF78000-memory.dmp

Filesize
32KB

Download
memory/7264-5173-0x0000021B3C890000-0x0000021B3C942000-memory.dmp

Filesize
712KB

Download
memory/7264-5228-0x0000021B3CE90000-0x0000021B3CE9A000-memory.dmp

Filesize
40KB

Download
memory/7264-5227-0x0000021B3CEB0000-0x0000021B3CEC6000-memory.dmp

Filesize
88KB

Download
memory/8184-4946-0x000002204ABA0000-0x000002204ABDC000-memory.dmp

Filesize
240KB

Download
memory/8184-4945-0x0000022049370000-0x0000022049382000-memory.dmp

Filesize
72KB

Download
memory/8184-4932-0x0000022048F50000-0x0000022048F7E000-memory.dmp

Filesize
184KB

Download
memory/8184-4931-0x0000022048F50000-0x0000022048F7E000-memory.dmp

Filesize
184KB

Download
memory/8328-5136-0x0000018BD1EC0000-0x0000018BD1EEA000-memory.dmp

Filesize
168KB

Download
memory/8328-5138-0x0000018BEC580000-0x0000018BEC740000-memory.dmp

Filesize
1.8MB

Download
memory/8328-5140-0x0000018BD1EC0000-0x0000018BD1EEA000-memory.dmp

Filesize
168KB

Download
memory/8680-5709-0x00000218D0A60000-0x00000218D0A8C000-memory.dmp

Filesize
176KB

Download
memory/8680-5506-0x00000218CED30000-0x00000218CED56000-memory.dmp

Filesize
152KB

Download
memory/8680-6054-0x00000218D0A90000-0x00000218D0AB8000-memory.dmp

Filesize
160KB

Download
memory/8680-6469-0x00000218E9430000-0x00000218E94B4000-memory.dmp

Filesize
528KB

Download
memory/9040-4969-0x0000027BEF7A0000-0x0000027BEF7C2000-memory.dmp

Filesize
136KB

Download
memory/9040-4968-0x0000027BEF730000-0x0000027BEF74A000-memory.dmp

Filesize
104KB

Download
memory/9040-4966-0x0000027BF03C0000-0x0000027BF0726000-memory.dmp

Filesize
3.4MB

Download
memory/9040-4967-0x0000027BF0730000-0x0000027BF08AC000-memory.dmp

Filesize
1.5MB

Download