cobaltstrike | e0168825be4779091fb1035747eac2b9f685600a7e84dfc7dc3929c3a8017b2e

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_2_0/windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
Size

1.7MB
MD5

76974b990f52405522b0f38f43b9e973
SHA1

2e4c67a8772b5bf86b563602b252e3957da7d923
SHA256

90846154abe13934aded2cdeb432394148240531ebd58abf5197ae0be73e854d
SHA512

74604af64a9bd99e632ecc97c1be8a951fe35d66ada60be57cd5c431578537044a62614817e7361948a0f5ba5a6b689b721b83eea1712c66347faaedcb4fe06d
SSDEEP

24576:S7FUDowAyrTVE3U5F/sLuHhCLogeQo40gBxnBJ4sxtMXBCYk:SBuZrEUfRFXgznBJZ1

Score

10^/10

cobaltstrike backdoor discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral4/files/0x000900000002345f-4760.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral4/files/0x0009000000023460-4763.dat	disable_win_def

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x000900000002345f-4760.dat	autoit_exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	component0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	UIHost.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_75DBA25F887BE659C2BA758AC8D5EEC3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_72BCADB7EE100ECA692C6EC1A866B75B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_72BCADB7EE100ECA692C6EC1A866B75B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_174B7D8FA08FE3114B44D3F2FE6867C0	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_174B7D8FA08FE3114B44D3F2FE6867C0	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_75DBA25F887BE659C2BA758AC8D5EEC3	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\Temp1514478792\jslang\eula-hu-HU.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\selectors\smart_toast_search_setting.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\switch_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-upsell-toast.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\edgesecuresearchonboarding.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Collections.Specialized.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1514478792\jslang\wa-res-install-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\packageutils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-hr-HR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\hashedmachineid.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\arm64\7zarm64.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.Compression.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Uninstall.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-bg.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\formlogindetect.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\arm64\elam\rselam.cat	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Needle.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ui-dialog-balloon.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\logicscripterror.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Linq.Expressions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-hu-HU.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\gu.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Runtime.InteropServices.RuntimeInformation.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1514478792\jslang\eula-sv-SE.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-ko-KR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Diagnostics.Tools.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-ko-KR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\ext_x64.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sr-Latn-CS.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\balloon-arrow-right.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-window.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-nb-NO.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\cs.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browsernavigate.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\datasets_catalog.json	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-zh-TW.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\logger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\observation_analytics.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-options.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-shared-de-DE.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.DirectoryServices.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.config	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\utils\common_utils.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wpstrial.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\oem_utils\oem_util_selector.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\transmitters\transmit_azure.luc	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\rules.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Client.Messages.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog	rsEDRSvc.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\smart_toast_api_request.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\selectors\smart_toast_trigger.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-options.html	installer.exe

Executes dropped EXE 20 IoCs

pid	Process
2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
1412	component0.exe
4400	saBSI.exe
4412	qu2mf255.exe
4664	UnifiedStub-installer.exe
3776	rsSyncSvc.exe
976	rsSyncSvc.exe
5084	installer.exe
2152	installer.exe
1784	ServiceHost.exe
1676	UIHost.exe
4180	updater.exe
6388	rsWSC.exe
5984	rsWSC.exe
6684	rsClientSvc.exe
6972	rsClientSvc.exe
1520	rsEngineSvc.exe
5136	rsEngineSvc.exe
6992	rsEDRSvc.exe
5596	rsEDRSvc.exe

Loads dropped DLL 15 IoCs

pid	Process
2152	installer.exe
4664	UnifiedStub-installer.exe
3112	regsvr32.exe
4596	regsvr32.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1676	UIHost.exe
1676	UIHost.exe
4664	UnifiedStub-installer.exe
5136	rsEngineSvc.exe
5596	rsEDRSvc.exe
5136	rsEngineSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2mf255.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4400	saBSI.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
4664	UnifiedStub-installer.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1784	ServiceHost.exe
1676	UIHost.exe
1676	UIHost.exe
1676	UIHost.exe
1676	UIHost.exe
1676	UIHost.exe
1676	UIHost.exe
1784	ServiceHost.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
6576	fltmc.exe
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	component0.exe
Token: SeDebugPrivilege	4664	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	4664	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	4664	UnifiedStub-installer.exe
Token: SeDebugPrivilege	4664	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	6748	wevtutil.exe
Token: SeBackupPrivilege	6748	wevtutil.exe
Token: SeLoadDriverPrivilege	6576	fltmc.exe
Token: SeSecurityPrivilege	6452	wevtutil.exe
Token: SeBackupPrivilege	6452	wevtutil.exe
Token: SeDebugPrivilege	6388	rsWSC.exe
Token: SeDebugPrivilege	5984	rsWSC.exe
Token: SeDebugPrivilege	1520	rsEngineSvc.exe
Token: SeDebugPrivilege	1520	rsEngineSvc.exe
Token: SeDebugPrivilege	1520	rsEngineSvc.exe
Token: SeBackupPrivilege	1520	rsEngineSvc.exe
Token: SeRestorePrivilege	1520	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	1520	rsEngineSvc.exe
Token: SeDebugPrivilege	5136	rsEngineSvc.exe
Token: SeDebugPrivilege	5136	rsEngineSvc.exe
Token: SeDebugPrivilege	5136	rsEngineSvc.exe
Token: SeBackupPrivilege	5136	rsEngineSvc.exe
Token: SeRestorePrivilege	5136	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	5136	rsEngineSvc.exe
Token: SeDebugPrivilege	5596	rsEDRSvc.exe
Token: SeDebugPrivilege	5596	rsEDRSvc.exe
Token: SeDebugPrivilege	5596	rsEDRSvc.exe
Token: SeShutdownPrivilege	5136	rsEngineSvc.exe
Token: SeCreatePagefilePrivilege	5136	rsEngineSvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2100	3604	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	82
PID 3604 wrote to memory of 2100	3604	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	82
PID 3604 wrote to memory of 2100	3604	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe	82
PID 2100 wrote to memory of 1412	2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	93
PID 2100 wrote to memory of 1412	2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	93
PID 2100 wrote to memory of 4400	2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	94
PID 2100 wrote to memory of 4400	2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	94
PID 2100 wrote to memory of 4400	2100	windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp	94
PID 1412 wrote to memory of 4412	1412	component0.exe	95
PID 1412 wrote to memory of 4412	1412	component0.exe	95
PID 1412 wrote to memory of 4412	1412	component0.exe	95
PID 4412 wrote to memory of 4664	4412	qu2mf255.exe	96
PID 4412 wrote to memory of 4664	4412	qu2mf255.exe	96
PID 4664 wrote to memory of 3776	4664	UnifiedStub-installer.exe	98
PID 4664 wrote to memory of 3776	4664	UnifiedStub-installer.exe	98
PID 4400 wrote to memory of 5084	4400	saBSI.exe	101
PID 4400 wrote to memory of 5084	4400	saBSI.exe	101
PID 5084 wrote to memory of 2152	5084	installer.exe	102
PID 5084 wrote to memory of 2152	5084	installer.exe	102
PID 2152 wrote to memory of 3172	2152	installer.exe	103
PID 2152 wrote to memory of 3172	2152	installer.exe	103
PID 3172 wrote to memory of 3112	3172	regsvr32.exe	104
PID 3172 wrote to memory of 3112	3172	regsvr32.exe	104
PID 3172 wrote to memory of 3112	3172	regsvr32.exe	104
PID 2152 wrote to memory of 4596	2152	installer.exe	105
PID 2152 wrote to memory of 4596	2152	installer.exe	105
PID 1784 wrote to memory of 1676	1784	ServiceHost.exe	107
PID 1784 wrote to memory of 1676	1784	ServiceHost.exe	107
PID 1784 wrote to memory of 4180	1784	ServiceHost.exe	108
PID 1784 wrote to memory of 4180	1784	ServiceHost.exe	108
PID 1784 wrote to memory of 6224	1784	ServiceHost.exe	109
PID 1784 wrote to memory of 6224	1784	ServiceHost.exe	109
PID 1784 wrote to memory of 6308	1784	ServiceHost.exe	111
PID 1784 wrote to memory of 6308	1784	ServiceHost.exe	111
PID 4664 wrote to memory of 6212	4664	UnifiedStub-installer.exe	113
PID 4664 wrote to memory of 6212	4664	UnifiedStub-installer.exe	113
PID 6212 wrote to memory of 5244	6212	rundll32.exe	114
PID 6212 wrote to memory of 5244	6212	rundll32.exe	114
PID 5244 wrote to memory of 6888	5244	runonce.exe	115
PID 5244 wrote to memory of 6888	5244	runonce.exe	115
PID 4664 wrote to memory of 6748	4664	UnifiedStub-installer.exe	116
PID 4664 wrote to memory of 6748	4664	UnifiedStub-installer.exe	116
PID 4664 wrote to memory of 6576	4664	UnifiedStub-installer.exe	119
PID 4664 wrote to memory of 6576	4664	UnifiedStub-installer.exe	119
PID 4664 wrote to memory of 6452	4664	UnifiedStub-installer.exe	121
PID 4664 wrote to memory of 6452	4664	UnifiedStub-installer.exe	121
PID 4664 wrote to memory of 6388	4664	UnifiedStub-installer.exe	123
PID 4664 wrote to memory of 6388	4664	UnifiedStub-installer.exe	123
PID 4664 wrote to memory of 6684	4664	UnifiedStub-installer.exe	125
PID 4664 wrote to memory of 6684	4664	UnifiedStub-installer.exe	125
PID 4664 wrote to memory of 1520	4664	UnifiedStub-installer.exe	128
PID 4664 wrote to memory of 1520	4664	UnifiedStub-installer.exe	128
PID 4664 wrote to memory of 6992	4664	UnifiedStub-installer.exe	130
PID 4664 wrote to memory of 6992	4664	UnifiedStub-installer.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe
"C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\is-QTQAC.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QTQAC.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp" /SL5="$A0022,837598,832512,C:\Users\Admin\AppData\Local\Temp\entry_2_0\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component0.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component0.exe" -ip:"dui=1b74ca46-c49b-4c52-a57d-8cd1ff70c625&dit=20240919094620&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=fa70&a=100&b=&se=true" -i
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\qu2mf255.exe
      "C:\Users\Admin\AppData\Local\Temp\qu2mf255.exe" /silent
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        5⤵
        Drops file in Drivers directory
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        6⤵
        Executes dropped EXE
        
        PID:3776
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:6212
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        7⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:5244
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        8⤵
        
        PID:6888
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6748
      - C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        6⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:6576
      - C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6452
      - C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
      - C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:6684
      - C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
      - C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
        6⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:6992
- - C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\saBSI.exe
    "C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5084
    - - C:\Program Files\McAfee\Temp1514478792\installer.exe
        
        "C:\Program Files\McAfee\Temp1514478792\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
      - C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        6⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:4596

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:976

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:6224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:6308

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:6972

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5136
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  PID:5396
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  PID:1344
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    PID:3584
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,10677041267680730222,10786869145914186172,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:2
      4⤵
      PID:6444
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2180,i,10677041267680730222,10786869145914186172,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:1360
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2428,i,10677041267680730222,10786869145914186172,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2424 /prefetch:1
      4⤵
      PID:3260
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  PID:2124

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1514478792\analyticsmanager.cab

Filesize
1.8MB

MD5
97ed5ed031d2032e564ade812cf1a544

SHA1
cce815ae908c8bea62bce28353abc719fe5dc84e

SHA256
8c9ac5ebbf2bf6ef3f9de07276761bb77ecd5a122d92a6d6e82d110557bffbc9

SHA512
e407772ff7ff9d87332b51c622883ca483285df9ae888da323e2f7aee6c2a24b699e5c8350b0a80e5a5e9d643db140eb1ddd75355e0af0611c02e6b5b537db12

Download Submit
C:\Program Files\McAfee\Temp1514478792\analyticstelemetry.cab

Filesize
48KB

MD5
ef6a25aa170818e96580be4114d669e9

SHA1
d3d0f5c1689bd5a77edc8cbd1a9b5dc6b317c2c9

SHA256
2bb88fafa2cf6d1d98519128b7a3e449110ef1584cbbcfafefb170ba83fbe67e

SHA512
42a810570051fb4065b043cffd5990533bc5e1dbeee7091d670a194caab2b72c10b06d1c1f7678d211e0a48fae8b61abdd3afde63392fd47e9a5f28b76cb1f89

Download Submit
C:\Program Files\McAfee\Temp1514478792\browserhost.cab

Filesize
1.2MB

MD5
b94c9f0a975476dba3dcf710bb1bb7b9

SHA1
efa5029cca331cbd83d0fb4c234d937693872feb

SHA256
8101b720507bf30c6ff828cafd1c1babb4fc85261d76edf5f3c34b0a92a9ee35

SHA512
ec2fc2c84fc9ace25d7da2c869b1b61009df65fbf1aa503fc2feaa0db5dce094d9c8d4dcca5ce92c7ddf9960bcf19b235e0a7c5555977bcbe3e72c850dfc29b0

Download Submit
C:\Program Files\McAfee\Temp1514478792\browserplugin.cab

Filesize
4.8MB

MD5
832afd444a290e49ad5d5fa751976d8f

SHA1
01ce1adc9028335126fc01c1a98a7ea396e9f3ee

SHA256
ae40f7e07be60148aee4223fe8356782db4e6b67b0b463b89405519dd8ef1d85

SHA512
8c0625f122955e90c51f27cd35866ef901fa8e90ab048c3cc909f3e467225ddf64fdb3f67f56bd08a84bc48094ea27c09bef0fc7802e9e50e1da49ff35be3cb7

Download Submit
C:\Program Files\McAfee\Temp1514478792\eventmanager.cab

Filesize
1.5MB

MD5
a2311baf2020a4b4616c1c4084047dce

SHA1
3799c778f4f59b423274f0a21c1f37f45d6a3058

SHA256
80ef158b822de25a7fe4e72a404abeb0dabdad208972080681c0cd7f13fd882b

SHA512
28dddb497174f884061c68dfd8033b2eb7c32b3bdd46ee2e8fa9238a5036d71e71f37c9e8da0cec400be872ad8f5d91f88a68108614591b29c5f15212c2045c3

Download Submit
C:\Program Files\McAfee\Temp1514478792\installer.exe

Filesize
2.9MB

MD5
6908407fb5ea50408e55db7877f41f30

SHA1
1e46a4801ec4345e168d9902a0f85c56685e5e45

SHA256
c716dcd46f88edbf6d217f4740b79fe0a60530d68495959c41a3be82dcf8de4f

SHA512
c9528e0308847a6fd9f3fd29c7cdcca42189264b4a5233b4cca24cfeefa4f3b1ece1d1da62c7e158005195a158ecf83968b433a9129e534bcd55e8304103a8c4

Download Submit
C:\Program Files\McAfee\Temp1514478792\l10n.cab

Filesize
263KB

MD5
8f64d3b5cf2d9ca534d15869831b03c2

SHA1
dc2dbf02917f6caf5647c6518b46d6a9a3ab3848

SHA256
419c412f0675ca9c33dd4893ca8c6fc716da26fe2951c4de5586783ebdca7a39

SHA512
7ab79b6be288f312c00b5421a918059e48e16ecbd2956e80ed4246e273640533bf058ac19927ea85d76dd03b8fc25461d4f77453d871729ffc47b3c6317aa957

Download Submit
C:\Program Files\McAfee\Temp1514478792\logicmodule.cab

Filesize
1.5MB

MD5
5a20121cafcd42a5b9121c781109af48

SHA1
5dd56ee30b9d856cd3e362fa4047ee983d18ac48

SHA256
12a876cd938e3cc9d23bf35df7c1d3b9724a92a152f1fbe102dfe16de0f7b670

SHA512
96b5e4fe6ad9a9bd7cadfb1105f54357f916d0ff394d82a0d4b2faae9771f154ed5f6a52b632ab4d83dfedcfec9ddb26fc2299124b5edfa4165218cdbc2bac84

Download Submit
C:\Program Files\McAfee\Temp1514478792\logicscripts.cab

Filesize
50KB

MD5
22bbe35450299d96df0fd8162b2111b7

SHA1
7da76911803b392652f72f08a314b46e0aa062f6

SHA256
85baf880052a9e42c1b509f60be049bd3164a450a82fdd668d20e7210e1e9945

SHA512
673c4ce4405290746d9505115830783004b6d20b537693b45e30a243405bbc6c852587e2a78497846548dac85f6b58a1b68a0dcf93aeb3719407be135dbbd185

Download Submit
C:\Program Files\McAfee\Temp1514478792\mfw-mwb.cab

Filesize
20KB

MD5
7c481ebd8e5250b0a3d021350cf62b2e

SHA1
78ebe2ef2632c31c6e4b41b5aa521cf7ab9687ed

SHA256
1ef9b8cb161c93e2fbea4c0ed164677494805e452745ff20cedaeb40c4d4a6dc

SHA512
6f107598a9b333ce6a3536e91c7f9c8ca7ad61614c43f330aac10df408e2be51aef997ede2d14a6c4f44b8f82bb96538b4372936e11a68d2a04960f88af18cf3

Download Submit
C:\Program Files\McAfee\Temp1514478792\mfw-nps.cab

Filesize
22KB

MD5
eaa60197c72841cc6499f90caaf91045

SHA1
9ca0de9dc3f3188ca4130f7bf6fb6fa6b40371d6

SHA256
ef5154f8d3c73c5581c7460c3a9306ba2a833ef02e7a94af8ab5bfe6de03d500

SHA512
30ffdd1718619495fa3fd2e75570470c7442ff293cf04b3fa90fe3738e6461f4b197a1dd68db21c7be9c0e58ff5110cbbd650a1fbdbadbabe0a79dcc09806d08

Download Submit
C:\Program Files\McAfee\Temp1514478792\mfw-webadvisor.cab

Filesize
799KB

MD5
8df620368757404e566bb046ecf9c4ab

SHA1
031d572f19a4862f1bdd0d8d694249f609333adf

SHA256
bf68ad394d58771dfb61c2d3bb65a71d7c0be76c29e5670d82233a2b029202a2

SHA512
1da77b5172b541d300f5342741ff14e4392ba7d3ffd6f63eb1fc9d4712b36762d25662ac28bfca10e9ba3467f51006afd0adf0be57e74d0778b59fa8fcfab76d

Download Submit
C:\Program Files\McAfee\Temp1514478792\mfw.cab

Filesize
300KB

MD5
4b48d4af3dd627cbdb23eba5432a1ce4

SHA1
434ab4f9963c38e59035f9186a1b47b5d71672d5

SHA256
f953e46987ad5d221a623c08fdb6b7adc7ddc08f0bb001fe8c10af528f1d6cd7

SHA512
ab659466d0b38cf76d503eddb896ede677a16f5efa42bc57dbd0618bd67b5917287441f25f6aef1ae62357f8d7548173d76265d2a17dda21d610ba6ccd8efd67

Download Submit
C:\Program Files\McAfee\Temp1514478792\resourcedll.cab

Filesize
37KB

MD5
8b93f49c9f0f4338ccac93e065aeda6d

SHA1
1f6e3d6c79a36df4b8087191bbd7b779490fea13

SHA256
60aae2c0fbd7ae9f9688b34957077bb4c012b398adcb50b8955641f47cf3769e

SHA512
74639725fb8edf6fd1891bd7036e56e2690a7002098f0f92d3ed083acbf802829c7fba47828aff7acaf3e6daa2589bdf4571f52ade261e0829e9d02a099cb13d

Download Submit
C:\Program Files\McAfee\Temp1514478792\servicehost.cab

Filesize
326KB

MD5
9b6afbc841ec091b348e5463d7247451

SHA1
7a7fef18f28132f689a5e6670a79ef11e9b86ad6

SHA256
2aa69416b7e189ececdd8eadf19efc31f3b17473f814f03084ffad39ea9b54f8

SHA512
d6884700819acfff3df720216818d519feb873d7396220e5bddf7b84da3746419c1c1dc5a0b29fdc48df64b78676ed15d30f35f7cd76ae6be38016a6a61da47e

Download Submit
C:\Program Files\McAfee\Temp1514478792\settingmanager.cab

Filesize
783KB

MD5
dc6eae57d2218c86f27804bf8540515e

SHA1
9bb523cacdc7e5a8095ed7483cf32c3eaeaf18bf

SHA256
f97df035083c8db8e893689336c3520739b9e0f40493d62f25eb8b7b40c3cdc5

SHA512
68bfad593d64a6d11a2faa132c34bc81a4ef635f4afc0db9d57d8bac9b069ec9a6d6e84e0acc7c127839f39c062f4786abac82856ada5c813a9ebdc102c7d7a6

Download Submit
C:\Program Files\McAfee\Temp1514478792\taskmanager.cab

Filesize
3.0MB

MD5
68652b84e881b112e605aad167162059

SHA1
f12cc34e9686e90e7bbbc051847f9763dd21edc4

SHA256
303dbae1b4872600cf7ddfa9fc1f82f933861bbecc10ac218ba23d4d9e2b99b9

SHA512
eb822707fdff149c4d6d3717f804f65a127bd25095f9a66410cf2d20b2bc62c19ff55af9c04b6e503bf808fb0b4e21080eaf736b6019540e55f211466fc2748f

Download Submit
C:\Program Files\McAfee\Temp1514478792\telemetry.cab

Filesize
78KB

MD5
b73d6356b6e0b755ecbc41411604f9c7

SHA1
12fa72f84628e87710e65e913884dea18e9f79a7

SHA256
aa7c148eba45b1ba46415a6ea879f80a8d0a07c3fd8a9bc87dab587f7e0e624d

SHA512
a2a56d00c6a27799ec2f29c58ca0e30192fb5f094df1a7409b4945973047ca4c70c712e70f2808ba44ec01d56cd43428ff618b7c374fe6002f4d3e44b194fa5e

Download Submit
C:\Program Files\McAfee\Temp1514478792\uihost.cab

Filesize
322KB

MD5
52faea6af050103fbad0ec1b43f5ad74

SHA1
9e4d3352be8565e1be844ae98e63a27751c806d5

SHA256
15b441b628b22d518a3328a5a451ee30e74b8583a01c67b6609164fa92259724

SHA512
8e87d88641bbe32430b5e98c854799b7e2a29595f8c370b0dec43f347fca604c8534bb6d21eefa7985fc2e6a1faa49746811e42d5f2e2455e02ee8ef4d8c395c

Download Submit
C:\Program Files\McAfee\Temp1514478792\uimanager.cab

Filesize
1.8MB

MD5
6b7a8b43ead2f632a46296ef39644516

SHA1
e0d601ec995a23c8b5b381a7dd42b293a444a44f

SHA256
c189da815549a4f0386e8e148d01893954ad1d9dab49da3b0bc0279e51e9118a

SHA512
dc544643359b7432c2cda61c921f5aedd5c0d7fa78476572871f761008ee3ddac3c352ea64c0c5c2a6b1594367bdfa2edb4738b2098e7e187d2d7ba2990e9566

Download Submit
C:\Program Files\McAfee\Temp1514478792\uninstaller.cab

Filesize
1.0MB

MD5
aa51d98cef03d6914d4d3bf269097d1d

SHA1
0d3037f998fb1a2bab8d68c68c50efb66241e50b

SHA256
281154cb7256ce177da12bca113d0d144563df42d0f5f4d18fe43c3e3b2eafde

SHA512
adc2cde4badddce3c045654577e98d0eb70f8fdf155807c12e7d2af5b8f2d61c5dcd7f0e904db28a71aa3dc28c8e1665e984164065ecc89866339023af02475a

Download Submit
C:\Program Files\McAfee\Temp1514478792\updater.cab

Filesize
961KB

MD5
a3c130fa0810db89553f525bfcb2484c

SHA1
0188f134988ab08a9d5eb9a81ebe42c9cc7d0d43

SHA256
29c749b3ffc675062b59bd6e58dfb629a648c259ff0af70b5f7881fbe17e30f4

SHA512
24a85b6eca25b25d0a1872f32f6be8901cb29bce5a7d76c5d03287a3c0463231900887e6702114266c6832600fe620889b458abf9c4eb742ed382520172c1990

Download Submit
C:\Program Files\McAfee\Temp1514478792\webadvisor.cab

Filesize
11KB

MD5
ef53fbe733612e3db1c3aaaa83e29ad4

SHA1
1480582e1b9daa6b5cea45cd9e894ac36a154843

SHA256
c05594fdb1e841e9070615c279ac6cdf2bd2f6da897fbeab8fc90c1a8dab8f40

SHA512
f3ac0fc48b8e4b0fef09365996218e61d404958838228f3cdfd8415ebb7238e9c025038a14cb748e2e0774e1a7e73aed60f4c10147afe3a6cfcdc3c4d0676edc

Download Submit
C:\Program Files\McAfee\Temp1514478792\wssdep.cab

Filesize
572KB

MD5
1bababa41a0a7a7dd46ff5be32ac6823

SHA1
456ad8893dcf6e740bded9d55d4f26ab657ee582

SHA256
5f2b1bdbd01bc02a747c6a4d6bd767735b1477c1d210132a7edb884a32a87c2c

SHA512
77c4bac9eca7fa88103656422e91233cd67c5abc74e99e36fdb869a90839b75a6e0c46b7f697c421c885678dbb141da8325ea1937823f8f7457a5c16718c07ee

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll

Filesize
5.1MB

MD5
0ebebbc8cdf174ec31bdf61f82c8b859

SHA1
a085b7aa5115f07d0eeb08835ceae43cb7e4b660

SHA256
11c89840aff32d799f16b8453d7e8d89ab64bdc1e168eb1230e9ae29d5f30560

SHA512
b1fb45f5c7aeb0205a7d16dbd314e23fdd43a28d994ca4318a54931b72452b979427146148efbf51e287c7f104aa3150a97cd394817d0ca5dec699c64054ac64

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
bd4e67c9b81a9b805890c6e8537b9118

SHA1
f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27

SHA256
916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8

SHA512
92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll

Filesize
1.9MB

MD5
a1cbe7071e338fc2e4b23b425f97085e

SHA1
49909383e784b9dfdf946c45592c2849f12e1c7e

SHA256
942eadd84730a88a38b44de12ef109290f543bfb7dcaf8fe4a7a3881a1d69f44

SHA512
32a2358c44748eea6f62a2f70364ec04b417e28bfa5c410b317217ee42b60922ccba174dabdeaf816982acef43464617af7d923c00a4b58629845a084c2956b1

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsEventsConfig.luc

Filesize
8KB

MD5
4cee70c0f0e65b9735dea6dd845030a2

SHA1
47a203b82abaf317f47b404c651219e2cf0468ec

SHA256
0e2a9de568437688786b73203f335c6dcf505b816d980f489f32ac48d84bc2ae

SHA512
a084e423b80e970521b358552631a2973364cebd54da4fa714198f3e7dab20cd37bb36b9351be75fab3ace65a4fa58109b891834ce1c74487084e812cb0ab214

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsTelemetryHandler.luc

Filesize
2KB

MD5
117fabf1be43dd46e92fa7198c946a29

SHA1
13cc590ac028e140905bf5d28d610a8a7aeff3f5

SHA256
162d1defaa0e9e34580de70724cb02ebe971c2c1f5645753fbd5907094e6e282

SHA512
c1040253d5c5ca0f0cc8da0daaaa1e9e51987e634aea8940e50b88267486df7fecfd98517f316d08b709fe52d6812a7b00f978f6ab1d88a36f51d099e64b2e83

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\class.luc

Filesize
656B

MD5
4fedac1062bb49f1e41bab0c9732bfde

SHA1
bf9205ad806ed7d90d99362593d95f914dff4096

SHA256
c4cf05582bf7de86b7fc167ce2183f70ea08fe26b09478061c3a034bb335658e

SHA512
c5f5d6cef328d7ec2cf5a10a1ae2da8ee5c0c995fd04f40a36a50b2298709c665b0ad586d96415c2dcc1d59b46ebc59548fcaa01f2248de29bb1c5a9e8798377

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\dkjson.luc

Filesize
9KB

MD5
f91523566c118924fbfaedea2456553e

SHA1
5ac9551dfa75013b88a73d26d2010d6f2d94595f

SHA256
1680728a1541a9ee7b3bee1fd40bba2ef25a2a86283fa2583f59a4b5aa8c2a6d

SHA512
29e4abccb4f4b390da8b02b59190b5a2222fccb82b8167c84f3885f31bb4fd6b47c46b6ebfdf6cdd839f9181a4e008f314e7c00df5f5597b33627e2a577f277f

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\logger.luc

Filesize
699B

MD5
7ca440bcda2c926d16b21105d5c9a98e

SHA1
834411947c6a0708589b447e9adb24ac87145842

SHA256
15e0fc760c7368ffa9824dc46eba96c0d921835a42b8ee5b00c2b1ee526a9276

SHA512
9994d5679e9d955a78c6651dd9fcac9cd652ab541a75f9f8af12ac0ab0b0e24ca6f7064835ac5ef0b14116b3e02cfc0f02c3a4355c7d25fbde7ffe948fa904f4

Download Submit
C:\Program Files\McAfee\WebAdvisor\servicehost.exe

Filesize
896KB

MD5
3937848ecc300771413faec70611e22f

SHA1
6c6fce0707cc6342431a6486dbbc2f3906828f25

SHA256
566ff05c40eb9f8674f64a01c97409a732fc8d806ae26f73d1bd8c4d1aa573cb

SHA512
cfab2bf377336e75969142726f9a369f14e80d5b01bca22ee9a8e3b7941ebf1198a15bde09b02358e2edd3888194dd284f0c25143703cb76bfce624f2ee635d1

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll

Filesize
630KB

MD5
7c0f2909a7d5eeffc43d2ceb61f00168

SHA1
3f1c603e778130a076b5223f492d1ab41c0b987e

SHA256
36fa0d5b4ca8f9ca91a4f095700d822394947015795183a71199901247ddb23a

SHA512
e967be8db1c17a63b74ef003aff78411f04cb66cddc2cb02f8b30553cb147c676aa039be459d40ef0627b296fc89f10d549478b15f3f6ddbfdd18e9121f00fee

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll

Filesize
785KB

MD5
c1dfef71aea217fb5692a0a6749067f0

SHA1
340a3e89005c5a0749cf01a21d274f71b22753f6

SHA256
2de215f385925af1eb18d07b39d43c6fbdbedb524fa0a9694aae6b05cb7a5d4e

SHA512
4299c508a6ed88819d096820ef366730daa1fec41fa4b106f19bbd1788aabea8236cb65691f14a84ddcd38cac7e9635e36c23a8e5729bfd6219f97189490d51f

Download Submit
C:\Program Files\ReasonLabs\EDR\InstallUtil.InstallLog

Filesize
628B

MD5
789f18acca221d7c91dcb6b0fb1f145f

SHA1
204cc55cd64b6b630746f0d71218ecd8d6ff84ce

SHA256
a5ff0b9a9832b3f5957c9290f83552174b201aeb636964e061273f3a2d502b63

SHA512
eae74f326f7d71a228cae02e4455557ad5ca81e1e28a186bbc4797075d5c79bcb91b5e605ad1d82f3d27e16d0cf172835112ffced2dc84d15281c0185fa4fa62

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\Uninstall.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
406B

MD5
0dd7ab115062ec8b9181580dbd12ff02

SHA1
28a9115deb8d858c2d1e49bec5207597a547ccf0

SHA256
2fe9b5c64e7ef21c1ea477c15eff169189bac30fd2028f84df602f52c8fc6539

SHA512
2c1a4e5ebf7ab056d4510ea56613fec275ca1da8bb15ed8118e9192fc962833e77974a0363538cebf9ab2a1a1ff9486c3078d14b4820c2a8df803f80f94e19f1

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
c4af210cb9cd4a15df0629bdf383cbf6

SHA1
0c71020e3038efd9b9d1f2bf3664625fb6f16f38

SHA256
e3afc75d25044c16bcb327898338a8496b2d1a732fba21092680fcb160e15045

SHA512
fffa23be38093be9b4d9b00961d0b4167d923accfe95a8927c044340eee20a08f704d8517bb20cac73b2422084072fe1d32f209d173cc5db189f2f19b72be84e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
78229716eb50604ff6e7c085c08b7279

SHA1
43b75121f044c68deb714914d5ac3e81e73ea4ff

SHA256
a09dce5039dcbac8cfa398beed96051fd8f0f5f43d805f5eb94b1dfe8d8b1900

SHA512
da5f7cf82cc5cba25abf8ce26d2254e012bb3838d9e6083f25a12f9ab8c2b0af8303c25791c5cc1c9ce85d16430c5924ceb6a760cc4190ffabb771e02c3c6a10

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
7dc6dbd6a1ae9b048eaced814b8d94b2

SHA1
804980baaddb7f9f789dde98ff550172c2c950c5

SHA256
a93abbce36dec89b6ddb30d8999271b1f0bf04cc3f687869cb3f0b43b2c1a43c

SHA512
3007fdf9c1fda99b6596440b0e99277d5cd46cf9a45d8bbfcb8f098deea97c95c80a4f6505a86101efc5bc9ff96c374b0c06c8b93b9a094ffe9d892761a706ff

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
dd21c0aba40ae15ee7625d90b314a3d1

SHA1
a0a3e38a9a261bb1dc57f559eca17e05dbf250f3

SHA256
6083eed8f12a62574b5c4d8e03c378afd89ff45d56c3b54eda2135bb70f88fe3

SHA512
166b2833a4aabd7763e48bd0c523d5783777e577ad7c077ba60045e62e191e92b6d7aaca914f2a7922fbcfdac92d0ac1b56cc6a1f7269b4d7a26ed072f4131d2

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\a0b7ab7c-5265-483f-b6f7-59fbc9bc6e2b\UnifiedStub-installer.exe\assembly\dl3\5f014f8a\5e48e20c_790adb01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\a0b7ab7c-5265-483f-b6f7-59fbc9bc6e2b\UnifiedStub-installer.exe\assembly\dl3\7f772053\5e48e20c_790adb01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\a0b7ab7c-5265-483f-b6f7-59fbc9bc6e2b\UnifiedStub-installer.exe\assembly\dl3\90d1d864\8283dd0c_790adb01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\a0b7ab7c-5265-483f-b6f7-59fbc9bc6e2b\UnifiedStub-installer.exe\assembly\dl3\a7435908\5e48e20c_790adb01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC31942B8\x64\Reason.ArchiveUtility-x64.dll

Filesize
154KB

MD5
366231ab413d0ce3ad65b38b4ab3e4a6

SHA1
f52e1886563137a4124d3096d7ede5ce1cd1e578

SHA256
ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d

SHA512
55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\100.png

Filesize
56KB

MD5
4167c79312b27c8002cbeea023fe8cb5

SHA1
fda8a34c9eba906993a336d01557801a68ac6681

SHA256
c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8

SHA512
4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\101.png

Filesize
46KB

MD5
5fd73821f3f097d177009d88dfd33605

SHA1
1bacbbfe59727fa26ffa261fb8002f4b70a7e653

SHA256
a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

SHA512
1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component0.exe

Filesize
32KB

MD5
a812dc175d792e88d0211e670314ea1a

SHA1
d33d478b7e579cceae05f68d61139d93fd4e1b12

SHA256
826006736f1dfca1200a66ebf6eeccf7a579d2c48e59909a31cbb81cc1e79d65

SHA512
4136ba233d4bf8d2e9c2dec069b902c35cbd291521797a1062fb85d1f9bfb303a409b5549536980cf550558819b6468818db561ac89b4f270be771735534d9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\installer.exe

Filesize
24.4MB

MD5
4a547fd0a6622b640dad0d83ca63bd37

SHA1
6dd7b59010cc73581952bd5f1924dca3d6e7bea5

SHA256
a5be5403eb217883643adba57c83b7c4b0db34faf503cc1167b2c73ce54919d5

SHA512
dd1c6d7410d9fca5ce3d0be0eb90b87a811c7f07cba93e2c5d6855c692caec63feec6b8385e79baa4f503cac955e5331fac99936aa1668c127f3fc1ffccb3b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\component1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PLM2C.tmp\image.jpg

Filesize
11KB

MD5
286ef2f6fa1af5d2891000f05d673953

SHA1
b4a8159a5f11bb5f77b0ddc5f5b5c9ba8e1d0c96

SHA256
898eba7260727caea8464210684fe9dd777a7c14e4b4dd4d775140eebf59d1ee

SHA512
e0ea4f7f01eb1bfc23f8b8326e4abd9b43086d6e3a4d153414fb38a7c6fd96d61a45f683b57eb099ab5b78c18b79d810644b6351b4fdd0199c7e1713d9445eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QTQAC.tmp\windows-movie-maker-16.4.3528.331-installer_Rl-FBg1.tmp

Filesize
3.1MB

MD5
b672b72cb0c230a5cc12e924195093bd

SHA1
ea87c78a1673cf7e6036ea0407ce044e0d0a5219

SHA256
a6cc6e1e93465bfc464956e22cea45f5015ab91bfccccdf98b2fdf3a6ded9295

SHA512
93159e50fd2de40bbf950677d352fa9d2dcb5c56bc5d447cabfeb2804c15de972be559eeb9cbe014e9ece42471905256200b66bf73edf2431eb32b69af9cb479

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwa16E9.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qu2mf255.exe

Filesize
2.4MB

MD5
da4311777794bf455ab9e2169d42be90

SHA1
c11c199792e4be6853bfd9498b6b4d04330d5827

SHA256
8d0f43f991c951dca51fe45cf192ddadbb10649983d2324318ef6e824015dd49

SHA512
ec0fd4de236fdef8a55761cfa7e37f219b9fb631950bec55a9c1dc9872f6ad21afe48344d91a5282995724796bf2b411018d16a1f333c57b9dc63755d4d89cbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\windows-movie-maker-16.4.3528.331-installer.exe

Filesize
1.2MB

MD5
8423b539d6dcecf2d710c210f01d6c6a

SHA1
24bcef46ea3ed47158c72a753f6b1b6005468879

SHA256
7d9c68b11e45a763facc7577a51c8c00b7fb654b9ba044deb223e7140a2efe50

SHA512
4db21d0f283e3539c649f6eda114f48a5aaddf32b483bdccfeb5d00859c58b94d4153ea4bce92f39cd26d6042cd3ceccebc74e3ae2a8482eeb975459f9684b02

Download Submit
memory/1412-1206-0x00007FF9D2070000-0x00007FF9D2B31000-memory.dmp

Filesize
10.8MB

Download
memory/1412-456-0x00007FF9D2073000-0x00007FF9D2075000-memory.dmp

Filesize
8KB

Download
memory/1412-70-0x00007FF9D2073000-0x00007FF9D2075000-memory.dmp

Filesize
8KB

Download
memory/1412-71-0x000002A361040000-0x000002A361048000-memory.dmp

Filesize
32KB

Download
memory/1412-72-0x000002A37B970000-0x000002A37BE98000-memory.dmp

Filesize
5.2MB

Download
memory/1412-93-0x00007FF9D2070000-0x00007FF9D2B31000-memory.dmp

Filesize
10.8MB

Download
memory/1412-4632-0x00007FF9D2070000-0x00007FF9D2B31000-memory.dmp

Filesize
10.8MB

Download
memory/1520-4361-0x000002BCE3180000-0x000002BCE33D8000-memory.dmp

Filesize
2.3MB

Download
memory/1520-4336-0x000002BCC8AC0000-0x000002BCC8AE8000-memory.dmp

Filesize
160KB

Download
memory/1520-4335-0x000002BCCA3D0000-0x000002BCCA42A000-memory.dmp

Filesize
360KB

Download
memory/1520-4334-0x000002BCC8650000-0x000002BCC869A000-memory.dmp

Filesize
296KB

Download
memory/1520-4347-0x000002BCE2C90000-0x000002BCE2CD4000-memory.dmp

Filesize
272KB

Download
memory/1520-4337-0x000002BCC8650000-0x000002BCC869A000-memory.dmp

Filesize
296KB

Download
memory/2100-48-0x0000000004CB0000-0x0000000004DF0000-memory.dmp

Filesize
1.2MB

Download
memory/2100-53-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-49-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-126-0x0000000004CB0000-0x0000000004DF0000-memory.dmp

Filesize
1.2MB

Download
memory/2100-36-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-34-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-33-0x0000000004CB0000-0x0000000004DF0000-memory.dmp

Filesize
1.2MB

Download
memory/2100-23-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-20-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-19-0x0000000004CB0000-0x0000000004DF0000-memory.dmp

Filesize
1.2MB

Download
memory/2100-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2100-281-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2152-442-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-489-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-495-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-521-0x00007FF7AC2A0000-0x00007FF7AC2B0000-memory.dmp

Filesize
64KB

Download
memory/2152-528-0x00007FF7AC2A0000-0x00007FF7AC2B0000-memory.dmp

Filesize
64KB

Download
memory/2152-538-0x00007FF79E7C0000-0x00007FF79E7D0000-memory.dmp

Filesize
64KB

Download
memory/2152-540-0x00007FF79E7C0000-0x00007FF79E7D0000-memory.dmp

Filesize
64KB

Download
memory/2152-541-0x00007FF79E7C0000-0x00007FF79E7D0000-memory.dmp

Filesize
64KB

Download
memory/2152-543-0x00007FF79E7C0000-0x00007FF79E7D0000-memory.dmp

Filesize
64KB

Download
memory/2152-562-0x00007FF7AC2A0000-0x00007FF7AC2B0000-memory.dmp

Filesize
64KB

Download
memory/2152-565-0x00007FF7AC2A0000-0x00007FF7AC2B0000-memory.dmp

Filesize
64KB

Download
memory/2152-503-0x00007FF79E7C0000-0x00007FF79E7D0000-memory.dmp

Filesize
64KB

Download
memory/2152-494-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-476-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-480-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-485-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-486-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-487-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-488-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-457-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-490-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-446-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-444-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-491-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-518-0x00007FF7AC2A0000-0x00007FF7AC2B0000-memory.dmp

Filesize
64KB

Download
memory/2152-443-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-492-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-460-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-493-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-478-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-464-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-441-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-465-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-454-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-449-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/2152-467-0x00007FF7C1AE0000-0x00007FF7C1AF0000-memory.dmp

Filesize
64KB

Download
memory/3604-21-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3604-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3604-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4664-4088-0x00000145ED460000-0x00000145ED49A000-memory.dmp

Filesize
232KB

Download
memory/4664-249-0x00000145EC6C0000-0x00000145EC772000-memory.dmp

Filesize
712KB

Download
memory/4664-250-0x00000145D3EC0000-0x00000145D3EE2000-memory.dmp

Filesize
136KB

Download
memory/4664-252-0x00000145EC630000-0x00000145EC65E000-memory.dmp

Filesize
184KB

Download
memory/4664-243-0x00000145D2050000-0x00000145D215C000-memory.dmp

Filesize
1.0MB

Download
memory/4664-247-0x00000145D2530000-0x00000145D2560000-memory.dmp

Filesize
192KB

Download
memory/4664-245-0x00000145D2580000-0x00000145D25C6000-memory.dmp

Filesize
280KB

Download
memory/4664-4128-0x00000145ED540000-0x00000145ED570000-memory.dmp

Filesize
192KB

Download
memory/4664-4109-0x00000145ED460000-0x00000145ED48E000-memory.dmp

Filesize
184KB

Download
memory/4664-4099-0x00000145ED460000-0x00000145ED490000-memory.dmp

Filesize
192KB

Download
memory/4664-2410-0x00000145ED400000-0x00000145ED458000-memory.dmp

Filesize
352KB

Download
memory/4664-260-0x00000145ED000000-0x00000145ED058000-memory.dmp

Filesize
352KB

Download
memory/4664-2380-0x00000145ED210000-0x00000145ED260000-memory.dmp

Filesize
320KB

Download
memory/5136-4494-0x00000190FE7D0000-0x00000190FE7F8000-memory.dmp

Filesize
160KB

Download
memory/5136-4698-0x00000190FF510000-0x00000190FF53C000-memory.dmp

Filesize
176KB

Download
memory/5136-4371-0x00000190FE790000-0x00000190FE7C2000-memory.dmp

Filesize
200KB

Download
memory/5136-4719-0x00000191005B0000-0x00000191005D8000-memory.dmp

Filesize
160KB

Download
memory/5136-4492-0x00000190FE710000-0x00000190FE73E000-memory.dmp

Filesize
184KB

Download
memory/5136-4718-0x0000019100610000-0x0000019100664000-memory.dmp

Filesize
336KB

Download
memory/5136-4369-0x00000190FE370000-0x00000190FE39A000-memory.dmp

Filesize
168KB

Download
memory/5136-4495-0x00000190FE930000-0x00000190FE954000-memory.dmp

Filesize
144KB

Download
memory/5136-4368-0x00000190FE820000-0x00000190FE8A8000-memory.dmp

Filesize
544KB

Download
memory/5136-4713-0x00000191008B0000-0x00000191009B0000-memory.dmp

Filesize
1024KB

Download
memory/5136-4496-0x00000190FE960000-0x00000190FE986000-memory.dmp

Filesize
152KB

Download
memory/5136-4510-0x00000190FECA0000-0x00000190FEF48000-memory.dmp

Filesize
2.7MB

Download
memory/5136-4367-0x00000190FE750000-0x00000190FE788000-memory.dmp

Filesize
224KB

Download
memory/5136-4710-0x00000190FFBB0000-0x00000190FFBDA000-memory.dmp

Filesize
168KB

Download
memory/5136-4709-0x0000019100730000-0x00000191008A6000-memory.dmp

Filesize
1.5MB

Download
memory/5136-4526-0x00000190E57D0000-0x00000190E5800000-memory.dmp

Filesize
192KB

Download
memory/5136-4527-0x00000190FEA90000-0x00000190FEAEE000-memory.dmp

Filesize
376KB

Download
memory/5136-4528-0x00000190FEF50000-0x00000190FF2B9000-memory.dmp

Filesize
3.4MB

Download
memory/5136-4529-0x00000190FEA30000-0x00000190FEA7F000-memory.dmp

Filesize
316KB

Download
memory/5136-4708-0x00000190FFAB0000-0x00000190FFADC000-memory.dmp

Filesize
176KB

Download
memory/5136-4531-0x00000190FF550000-0x00000190FF7D6000-memory.dmp

Filesize
2.5MB

Download
memory/5136-4532-0x00000190FEB60000-0x00000190FEBC6000-memory.dmp

Filesize
408KB

Download
memory/5136-4707-0x00000190FFFC0000-0x00000190FFFF4000-memory.dmp

Filesize
208KB

Download
memory/5136-4570-0x0000019080080000-0x00000190800BA000-memory.dmp

Filesize
232KB

Download
memory/5136-4571-0x0000019080040000-0x0000019080066000-memory.dmp

Filesize
152KB

Download
memory/5136-4572-0x00000190FF380000-0x00000190FF432000-memory.dmp

Filesize
712KB

Download
memory/5136-4573-0x00000190FEC10000-0x00000190FEC44000-memory.dmp

Filesize
208KB

Download
memory/5136-4574-0x00000190FEAF0000-0x00000190FEB1A000-memory.dmp

Filesize
168KB

Download
memory/5136-4706-0x00000190FFA80000-0x00000190FFAAA000-memory.dmp

Filesize
168KB

Download
memory/5136-4576-0x00000190FF440000-0x00000190FF4A6000-memory.dmp

Filesize
408KB

Download
memory/5136-4705-0x00000190FFC60000-0x00000190FFCB4000-memory.dmp

Filesize
336KB

Download
memory/5136-4578-0x0000019100000000-0x00000191005A4000-memory.dmp

Filesize
5.6MB

Download
memory/5136-4704-0x00000190FFF40000-0x00000190FFFB6000-memory.dmp

Filesize
472KB

Download
memory/5136-4703-0x00000190FFBE0000-0x00000190FFC60000-memory.dmp

Filesize
512KB

Download
memory/5136-4702-0x00000190FFAF0000-0x00000190FFB58000-memory.dmp

Filesize
416KB

Download
memory/5136-4370-0x00000190FE8B0000-0x00000190FE928000-memory.dmp

Filesize
480KB

Download
memory/5136-4685-0x00000190FFA40000-0x00000190FFA72000-memory.dmp

Filesize
200KB

Download
memory/5136-4647-0x00000190FF2C0000-0x00000190FF302000-memory.dmp

Filesize
264KB

Download
memory/5136-4651-0x00000190FFCC0000-0x00000190FFF40000-memory.dmp

Filesize
2.5MB

Download
memory/5136-4670-0x00000190FF340000-0x00000190FF368000-memory.dmp

Filesize
160KB

Download
memory/5136-4662-0x00000190FEC50000-0x00000190FEC82000-memory.dmp

Filesize
200KB

Download
memory/5136-4666-0x00000190FF310000-0x00000190FF336000-memory.dmp

Filesize
152KB

Download
memory/5136-4665-0x00000190E5790000-0x00000190E5798000-memory.dmp

Filesize
32KB

Download
memory/5596-4530-0x00000290EE220000-0x00000290EE24E000-memory.dmp

Filesize
184KB

Download
memory/5596-4533-0x00000290EE310000-0x00000290EE3C2000-memory.dmp

Filesize
712KB

Download
memory/5596-4634-0x00000290EFB80000-0x00000290EFB8A000-memory.dmp

Filesize
40KB

Download
memory/5596-4633-0x00000290EFB70000-0x00000290EFB78000-memory.dmp

Filesize
32KB

Download
memory/5596-4631-0x00000290EE820000-0x00000290EE82A000-memory.dmp

Filesize
40KB

Download
memory/5596-4630-0x00000290EE840000-0x00000290EE856000-memory.dmp

Filesize
88KB

Download
memory/5596-4652-0x00000290F0950000-0x00000290F0958000-memory.dmp

Filesize
32KB

Download
memory/5596-4575-0x00000290EE9D0000-0x00000290EECC0000-memory.dmp

Filesize
2.9MB

Download
memory/5596-4577-0x00000290EE740000-0x00000290EE79E000-memory.dmp

Filesize
376KB

Download
memory/5984-4329-0x0000018976530000-0x00000189766AC000-memory.dmp

Filesize
1.5MB

Download
memory/5984-4328-0x0000018976720000-0x0000018976A86000-memory.dmp

Filesize
3.4MB

Download
memory/5984-4330-0x0000018975AC0000-0x0000018975ADA000-memory.dmp

Filesize
104KB

Download
memory/5984-4331-0x0000018975B40000-0x0000018975B62000-memory.dmp

Filesize
136KB

Download
memory/6388-4304-0x000001E59F5B0000-0x000001E59F5C2000-memory.dmp

Filesize
72KB

Download
memory/6388-4305-0x000001E59F670000-0x000001E59F6AC000-memory.dmp

Filesize
240KB

Download
memory/6388-4291-0x000001E59F1A0000-0x000001E59F1CE000-memory.dmp

Filesize
184KB

Download
memory/6388-4290-0x000001E59F1A0000-0x000001E59F1CE000-memory.dmp

Filesize
184KB

Download
memory/6992-4493-0x00000145D5010000-0x00000145D51D0000-memory.dmp

Filesize
1.8MB

Download
memory/6992-4491-0x00000145BA980000-0x00000145BA9AA000-memory.dmp

Filesize
168KB

Download
memory/6992-4497-0x00000145BA980000-0x00000145BA9AA000-memory.dmp

Filesize
168KB

Download