cobaltstrike | hxxps://cheatengine[.]net/download/file[.]php?id=10133

Analysis

max time kernel
375s
max time network
373s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cheatengine.net/download/file.php?id=10133

Score

10^/10

cobaltstrike backdoor discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000023928-4058.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0008000000023929-4064.dat	disable_win_def

Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	prod0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Executes dropped EXE 60 IoCs

pid	Process
5052	CheatEngine75.exe
2200	CheatEngine75.exe
3836	CheatEngine75.tmp
4300	CheatEngine75.tmp
1012	prod0.exe
4892	CheatEngine75.exe
4288	CheatEngine75.tmp
4616	yz2dadiu.exe
2612	UnifiedStub-installer.exe
3912	_setup64.tmp
1208	rsSyncSvc.exe
1880	rsSyncSvc.exe
752	Kernelmoduleunloader.exe
2440	windowsrepair.exe
7000	rsWSC.exe
6564	rsWSC.exe
4184	rsClientSvc.exe
5852	rsClientSvc.exe
5952	rsEngineSvc.exe
7984	rsEngineSvc.exe
7656	rsEDRSvc.exe
7952	rsEDRSvc.exe
5860	rsHelper.exe
4548	rsVPNClientSvc.exe
7560	rsVPNClientSvc.exe
7616	rsVPNSvc.exe
7080	rsVPNSvc.exe
8740	VPN.exe
8760	rsAppUI.exe
6896	rsAppUI.exe
1532	rsAppUI.exe
6436	rsAppUI.exe
6976	rsAppUI.exe
8712	EPP.exe
8748	rsAppUI.exe
6112	rsAppUI.exe
5940	rsAppUI.exe
6876	rsAppUI.exe
6376	rsLitmus.A.exe
8400	rsDNSClientSvc.exe
8924	rsDNSClientSvc.exe
6968	rsDNSResolver.exe
8632	rsDNSResolver.exe
7704	rsDNSResolver.exe
8216	rsDNSSvc.exe
8028	rsDNSSvc.exe
8696	Cheat Engine.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
7172	rsAppUI.exe
6644	DNS.exe
6872	rsAppUI.exe
8880	rsAppUI.exe
6160	rsAppUI.exe
6344	rsAppUI.exe
6384	Cheat Engine.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1216	rsAppUI.exe
6012	rsAppUI.exe
6432	rsAppUI.exe
5768	rsAppUI.exe

Loads dropped DLL 64 IoCs

pid	Process
4300	CheatEngine75.tmp
3836	CheatEngine75.tmp
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
7984	rsEngineSvc.exe
7952	rsEDRSvc.exe
7984	rsEngineSvc.exe
2612	UnifiedStub-installer.exe
7984	rsEngineSvc.exe
2612	UnifiedStub-installer.exe
7080	rsVPNSvc.exe
8760	rsAppUI.exe
8760	rsAppUI.exe
6896	rsAppUI.exe
1532	rsAppUI.exe
6896	rsAppUI.exe
6896	rsAppUI.exe
6896	rsAppUI.exe
6896	rsAppUI.exe
6436	rsAppUI.exe
6976	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
2612	UnifiedStub-installer.exe
6112	rsAppUI.exe
6112	rsAppUI.exe
6112	rsAppUI.exe
6112	rsAppUI.exe
6112	rsAppUI.exe
5940	rsAppUI.exe
6876	rsAppUI.exe
8028	rsDNSSvc.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
7172	rsAppUI.exe
7704	rsDNSResolver.exe
7704	rsDNSResolver.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
8880	rsAppUI.exe
6160	rsAppUI.exe
6344	rsAppUI.exe
8880	rsAppUI.exe
8880	rsAppUI.exe
8880	rsAppUI.exe
8880	rsAppUI.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1216	rsAppUI.exe
1216	rsAppUI.exe
1216	rsAppUI.exe
1216	rsAppUI.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
220	icacls.exe
3660	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000023928-4058.dat	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\KERNELBASE.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\user32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_DAC1C5D04FA8A8BC5129626251DE9CCA	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_607A58EEE9CB7145B2928F6E2D210D0B	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_56DB209C155B5A05FCBF555DF7E6D1BB	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7850C7BAFAC9456B4B92328A61976502_E3986D37B77FFFC158DD1695D3C4876D	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\winmm.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_1FB605FD2412C4F94AD934D8134A28AC	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEngineSvc.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_DAC1C5D04FA8A8BC5129626251DE9CCA	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\KERNEL32.DLL	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_ACC1A26A3F5A815A00C8D5589432921F	rsEngineSvc.exe
File opened for modification	C:\Windows\System32\shcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD96F9183ADE69B6DF458457F594566C_48BDF541C9BF1B2BAD41358CD874DC4B	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_EC4B03A84E582F11EFD1DC6D27A523EE	rsEngineSvc.exe
File opened for modification	C:\Windows\SYSTEM32\windows.storage.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\49855FCDFA62840A2838AEF1EFAC3C9B	rsEDRSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\ReasonLabs\VPN\de\Microsoft.Win32.TaskScheduler.resources.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\ws2_32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\win64\dbghelp.dll	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\rsHelper.RPC.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Win32.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Newtonsoft.Json.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\images\is-P9FNL.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-E7CC5.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\DNS\rsEngine.Time.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\CoreUIComponents.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\VPN\System.ObjectModel.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.IO.FileSystem.Watcher.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Threading.Tasks.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\CheatEngine.chm	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\UxTheme.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Dynamic.Runtime.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.IO.Compression.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\msvcrt.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-ODIPQ.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Principal.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.ComponentModel.TypeConverter.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sw.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Encoding.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\af.pak	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\lua53-64.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\iphlpapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-S3B9F.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\MonoDataCollector\is-IAGEU.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.ComponentModel.TypeConverter.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\OpenVPN\legacy\amd64\OemVista.inf	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\ole32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\profapi.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\speedhack-i386.dll	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\DNS\System.Xml.XPath.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsExtensionHost.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Text.Encoding.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\shell32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Http.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-J6430.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\is-JE2H4.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\nb.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\version	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.UnmanagedMemoryStream.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\zh-CN.pak	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\hhctrl.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\combase.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\WinTypes.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc32-32.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-ROIRJ.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\DNS\System.Globalization.Extensions.dll	UnifiedStub-installer.exe
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\is-63L6I.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-N5NCB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\clibs64\is-CGO9Q.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-3UL9T.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\sr.pak	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\kernel32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\winhttp.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-3CPH2.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Reflection.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\Microsoft.Win32.SystemEvents.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\id.pak	UnifiedStub-installer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4956	sc.exe
516	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5796	4300	WerFault.exe	140
6520	4300	WerFault.exe	140

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsrepair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yz2dadiu.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rsEDRSvc.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsVPNSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsWSC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rsEngineSvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rsWSC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "6"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 200000001a00eebbfe23000010009bee837d4422704eb1f55393042af1e400000000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{A83D3EF8-CDB3-4D60-BEC7-D2481AC4747C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	cheatengine-x86_64-SSE4-AVX2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	cheatengine-x86_64-SSE4-AVX2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	cheatengine-x86_64-SSE4-AVX2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	cheatengine-x86_64-SSE4-AVX2.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	cheatengine-x86_64-SSE4-AVX2.exe

Modifies system certificate store 2 TTPs 25 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	rsEDRSvc.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 81489.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2544	NOTEPAD.EXE

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	330	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	330	Cheat Engine 7.5 : luascript-CEVersionCheck

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	msedge.exe
1712	msedge.exe
4772	msedge.exe
4772	msedge.exe
60	identity_helper.exe
60	identity_helper.exe
4860	msedge.exe
4860	msedge.exe
812	msedge.exe
812	msedge.exe
1788	msedge.exe
1788	msedge.exe
1788	msedge.exe
1788	msedge.exe
4700	msedge.exe
4700	msedge.exe
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4288	CheatEngine75.tmp
4288	CheatEngine75.tmp
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
2612	UnifiedStub-installer.exe
5852	rsClientSvc.exe
5852	rsClientSvc.exe
7984	rsEngineSvc.exe
7984	rsEngineSvc.exe
7984	rsEngineSvc.exe
7984	rsEngineSvc.exe
7984	rsEngineSvc.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
976	OpenWith.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
5248	fltmc.exe
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	prod0.exe
Token: SeDebugPrivilege	2612	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	2612	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	2612	UnifiedStub-installer.exe
Token: SeDebugPrivilege	2612	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	5600	wevtutil.exe
Token: SeBackupPrivilege	5600	wevtutil.exe
Token: SeLoadDriverPrivilege	5248	fltmc.exe
Token: SeSecurityPrivilege	7084	wevtutil.exe
Token: SeBackupPrivilege	7084	wevtutil.exe
Token: SeDebugPrivilege	7000	rsWSC.exe
Token: SeDebugPrivilege	6564	rsWSC.exe
Token: SeDebugPrivilege	5952	rsEngineSvc.exe
Token: SeDebugPrivilege	5952	rsEngineSvc.exe
Token: SeDebugPrivilege	5952	rsEngineSvc.exe
Token: SeBackupPrivilege	5952	rsEngineSvc.exe
Token: SeRestorePrivilege	5952	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	5952	rsEngineSvc.exe
Token: SeDebugPrivilege	7984	rsEngineSvc.exe
Token: SeDebugPrivilege	7984	rsEngineSvc.exe
Token: SeDebugPrivilege	7984	rsEngineSvc.exe
Token: SeBackupPrivilege	7984	rsEngineSvc.exe
Token: SeRestorePrivilege	7984	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	7984	rsEngineSvc.exe
Token: SeShutdownPrivilege	2612	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	2612	UnifiedStub-installer.exe
Token: SeDebugPrivilege	7952	rsEDRSvc.exe
Token: SeDebugPrivilege	7952	rsEDRSvc.exe
Token: SeDebugPrivilege	7952	rsEDRSvc.exe
Token: SeShutdownPrivilege	7984	rsEngineSvc.exe
Token: SeCreatePagefilePrivilege	7984	rsEngineSvc.exe
Token: SeDebugPrivilege	5860	rsHelper.exe
Token: SeDebugPrivilege	5860	rsHelper.exe
Token: SeDebugPrivilege	5860	rsHelper.exe
Token: SeBackupPrivilege	5860	rsHelper.exe
Token: SeRestorePrivilege	5860	rsHelper.exe
Token: SeLoadDriverPrivilege	5860	rsHelper.exe
Token: SeDebugPrivilege	2612	UnifiedStub-installer.exe
Token: SeDebugPrivilege	7616	rsVPNSvc.exe
Token: SeDebugPrivilege	7616	rsVPNSvc.exe
Token: SeDebugPrivilege	7616	rsVPNSvc.exe
Token: SeBackupPrivilege	7616	rsVPNSvc.exe
Token: SeRestorePrivilege	7616	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	7616	rsVPNSvc.exe
Token: SeDebugPrivilege	7080	rsVPNSvc.exe
Token: SeDebugPrivilege	7080	rsVPNSvc.exe
Token: SeDebugPrivilege	7080	rsVPNSvc.exe
Token: SeBackupPrivilege	7080	rsVPNSvc.exe
Token: SeRestorePrivilege	7080	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	7080	rsVPNSvc.exe
Token: SeDebugPrivilege	7080	rsVPNSvc.exe
Token: SeDebugPrivilege	7080	rsVPNSvc.exe
Token: SeBackupPrivilege	7080	rsVPNSvc.exe
Token: SeRestorePrivilege	7080	rsVPNSvc.exe
Token: SeLoadDriverPrivilege	7080	rsVPNSvc.exe
Token: SeShutdownPrivilege	7080	rsVPNSvc.exe
Token: SeCreatePagefilePrivilege	7080	rsVPNSvc.exe
Token: SeShutdownPrivilege	8760	rsAppUI.exe
Token: SeCreatePagefilePrivilege	8760	rsAppUI.exe
Token: SeShutdownPrivilege	8760	rsAppUI.exe
Token: SeCreatePagefilePrivilege	8760	rsAppUI.exe
Token: SeShutdownPrivilege	8760	rsAppUI.exe
Token: SeCreatePagefilePrivilege	8760	rsAppUI.exe
Token: SeShutdownPrivilege	2612	UnifiedStub-installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp
4300	CheatEngine75.tmp

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
4772	msedge.exe
8760	rsAppUI.exe
8760	rsAppUI.exe
8760	rsAppUI.exe
8760	rsAppUI.exe
8760	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
8748	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
6872	rsAppUI.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3132	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
976	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
2988	OpenWith.exe
8056	cheatengine-x86_64-SSE4-AVX2.exe
6384	Cheat Engine.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe
1552	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4708	4772	msedge.exe	83
PID 4772 wrote to memory of 4708	4772	msedge.exe	83
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 4984	4772	msedge.exe	84
PID 4772 wrote to memory of 1712	4772	msedge.exe	85
PID 4772 wrote to memory of 1712	4772	msedge.exe	85
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86
PID 4772 wrote to memory of 4612	4772	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cheatengine.net/download/file.php?id=10133
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeed946f8,0x7fffeed94708,0x7fffeed94718
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:2
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7548 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Users\Admin\Downloads\CheatEngine75.exe
  "C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\is-CJ0QN.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CJ0QN.tmp\CheatEngine75.tmp" /SL5="$1A0112,29071676,832512,C:\Users\Admin\Downloads\CheatEngine75.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\prod0.exe" -ip:"dui=ea0aa4d6-aa48-4733-9e64-85ab59ce35b0&dit=20240923044647&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=ea0aa4d6-aa48-4733-9e64-85ab59ce35b0&dit=20240923044647&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=ea0aa4d6-aa48-4733-9e64-85ab59ce35b0&dit=20240923044647&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\yz2dadiu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\yz2dadiu.exe" /silent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
      - C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        Adds Run key to start application
        
        PID:5988
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:5940
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:5788
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7084
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:7000
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
        
        C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
        7⤵
        Executes dropped EXE
        
        PID:7656
        
        C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:7616
        
        \??\c:\windows\system32\rundll32.exe
        
        "c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
        7⤵
        Adds Run key to start application
        
        PID:7852
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:5252
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:6632
        
        C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:8400
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -i -service install
        7⤵
        Executes dropped EXE
        
        PID:6968
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
        7⤵
        Executes dropped EXE
        
        PID:8632
        
        C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i -i
        7⤵
        Executes dropped EXE
        
        PID:8216
  - - C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\CheatEngine75.exe
      "C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\is-A1LK0.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A1LK0.tmp\CheatEngine75.tmp" /SL5="$4017E,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        6⤵
        
        PID:4184
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        7⤵
        
        PID:4284
      - C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        6⤵
        
        PID:3192
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        7⤵
        
        PID:2312
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        6⤵
        Launches sc.exe
        
        PID:4956
      - C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        6⤵
        Launches sc.exe
        
        PID:516
      - C:\Users\Admin\AppData\Local\Temp\is-211IO.tmp\_isetup\_setup64.tmp
        
        helper 105 0x474
        6⤵
        Executes dropped EXE
        
        PID:3912
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:220
      - C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:752
      - C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
      - C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        6⤵
        Modifies file permissions
        
        PID:3660
  - - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
      "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:8696
    - - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
        
        "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:8056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1000
      4⤵
      Program crash
      PID:5796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1040
      4⤵
      Program crash
      PID:6520
- C:\Users\Admin\Downloads\CheatEngine75.exe
  "C:\Users\Admin\Downloads\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\is-4J4U7.tmp\CheatEngine75.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4J4U7.tmp\CheatEngine75.tmp" /SL5="$40278,29071676,832512,C:\Users\Admin\Downloads\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3836
- C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
  "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe" "C:\Users\Admin\Downloads\game.CT"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6384
- - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
    "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe" "C:\Users\Admin\Downloads\game.CT"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://modengine.net/
      4⤵
      PID:5308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffeed946f8,0x7fffeed94708,0x7fffeed94718
        5⤵
        
        PID:6768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://modengine.net/
      4⤵
      PID:3888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffeed946f8,0x7fffeed94708,0x7fffeed94718
        5⤵
        
        PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://modengine.net/
      4⤵
      PID:936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffeed946f8,0x7fffeed94708,0x7fffeed94718
        5⤵
        
        PID:6864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:8196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2296,8317411623908064361,12211014764470433356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1452 /prefetch:1
  2⤵
  PID:6604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:976
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\game.CT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4284

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:1880

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6564

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5852

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7984
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:8712
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SendNotifyMessage
    PID:8748
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1740 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6112
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2056,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5940
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2348,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6876
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3512,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7172
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3152,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1216
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3424,i,16833305045738437077,6302996736725709161,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2764 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:6432
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  - Executes dropped EXE
  PID:6376

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:7952

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7560

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7080
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:8740
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    PID:8760
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2232 --field-trial-handle=2236,i,467455606532847927,16852399660550141345,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6896
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --mojo-platform-channel-handle=2624 --field-trial-handle=2236,i,467455606532847927,16852399660550141345,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1532
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2796 --field-trial-handle=2236,i,467455606532847927,16852399660550141345,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6436
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3872 --field-trial-handle=2236,i,467455606532847927,16852399660550141345,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6976
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3728 --field-trial-handle=2236,i,467455606532847927,16852399660550141345,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:6012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5164

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:9088

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:8924

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7704

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8028
- \??\c:\program files\reasonlabs\DNS\ui\DNS.exe
  "c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:6644
- - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SendNotifyMessage
    PID:6872
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2264 --field-trial-handle=2268,i,7648687434333183317,10240965099747427896,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:8880
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --mojo-platform-channel-handle=2584 --field-trial-handle=2268,i,7648687434333183317,10240965099747427896,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6160
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2720 --field-trial-handle=2268,i,7648687434333183317,10240965099747427896,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6344
  - - C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3600 --field-trial-handle=2268,i,7648687434333183317,10240965099747427896,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      Executes dropped EXE
      PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4300 -ip 4300
1⤵
PID:8740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4300 -ip 4300
1⤵
PID:8432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffdbe7cc40,0x7fffdbe7cc4c,0x7fffdbe7cc58
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:8664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3404,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:6376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4212,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4204,i,183819029383070543,11152779559286011053,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3812 /prefetch:8
  2⤵
  PID:7648

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe

Filesize
389KB

MD5
f921416197c2ae407d53ba5712c3930a

SHA1
6a7daa7372e93c48758b9752c8a5a673b525632b

SHA256
e31b233ddf070798cc0381cc6285f6f79ea0c17b99737f7547618dcfd36cdc0e

SHA512
0139efb76c2107d0497be9910836d7c19329e4399aa8d46bbe17ae63d56ab73004c51b650ce38d79681c22c2d1b77078a7d7185431882baf3e7bef473ac95dce

Download Submit
C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\Cheat Engine 7.5\is-VDAOG.tmp

Filesize
12.2MB

MD5
5be6a65f186cf219fa25bdd261616300

SHA1
b5d5ae2477653abd03b56d1c536c9a2a5c5f7487

SHA256
274e91a91a7a520f76c8e854dc42f96484af2d69277312d861071bde5a91991c

SHA512
69634d85f66127999ea4914a93b3b7c90bc8c8fab1b458cfa6f21ab0216d1dacc50976354f7f010bb31c5873cc2d2c30b4a715397fb0e9e01a5233c2521e7716

Download Submit
C:\Program Files\Cheat Engine 7.5\windowsrepair.exe

Filesize
262KB

MD5
9a4d1b5154194ea0c42efebeb73f318f

SHA1
220f8af8b91d3c7b64140cbb5d9337d7ed277edb

SHA256
2f3214f799b0f0a2f3955dbdc64c7e7c0e216f1a09d2c1ad5d0a99921782e363

SHA512
6eef3254fc24079751fc8c38dda9a8e44840e5a4df1ff5adf076e4be87127075a7fea59ba7ef9b901aaf10eb64f881fc8fb306c2625140169665dd3991e5c25b

Download Submit
C:\Program Files\ReasonLabs\DNS\InstallerLib.dll

Filesize
293KB

MD5
9ad265e9300147b1329f0314ead710f1

SHA1
bb1eae5655bdc9a2da6508c0ad89657c471a8aea

SHA256
68755edc27b119b9130913535221df0ac5b8103caec8ca79e30889c1698c95bd

SHA512
e24f0986c688b628ab4e0fd66200b0bdb7f971b61712a931bfea72dba2fd21d8fc50b092eff0f41926649556bc11ad46f53b8b96655b7805924f1a7c3a7ad3e8

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
248B

MD5
6002495610dcf0b794670f59c4aa44c6

SHA1
f521313456e9d7cf8302b8235f7ccb1c2266758f

SHA256
982a41364a7567fe149d4d720749927b2295f1f617df3eba4f52a15c7a4829ad

SHA512
dfc2e0184436ffe8fb80a6e0a27378a8085c3aa096bbf0402a39fb766775624b3f1041845cf772d3647e4e4cde34a45500891a05642e52bae4a397bd4f323d67

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\DNS\rsEngine.Core.dll

Filesize
324KB

MD5
ae81336a538d2b43a3b063c9eb4c38a4

SHA1
a8189ac5789753a48090973f709a15514d9751d9

SHA256
c36d9e2f8b5ca95d4512fd8af284b37b174cd7b647f23d117ac08c17f5f672a7

SHA512
577280f0dcc52e8a94f839aa7d093e7d2ce9f82246669ce3a6636a21dbed3509a94868087568115fd027dbea25dbd64ad5bd5be88b7e95fbf762024cff0efc8e

Download Submit
C:\Program Files\ReasonLabs\DNS\ui\DNS.exe

Filesize
430KB

MD5
0969e0a4d0930b3863c7a5ae4a44c199

SHA1
8c6c08d3f88e4391179fa58a552f799038269278

SHA256
e6c522522579b4c3afe405301febad9a2cb65f63ee7800d5dd49dead7b865507

SHA512
c8f47598bb08cc605064edc8f0760994ed2415a32fd28f534773f8120e684ac14c4633d3650c29f7320a9dfe05bf53136c5f83e2fc977d040da17e89eeef3480

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
248B

MD5
7c9b77fe49d24ef989c12e52bba2b7bc

SHA1
37b9ee5a72f1387776e3dc67c7c3ebeb2effac7a

SHA256
2dd1c9e0e4cd57cda19b20412556e7b6d536c1e82b7913976ad6e4774d52ca60

SHA512
9f52be631ca374c090639c4de41d6bd64805870d39545a40d7567a80e936c901a4123d9e42eb92f83e1504de6dabcadedf59363b8ccbb9ccc909794903fae529

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
339KB

MD5
030ec41ba701ad46d99072c77866b287

SHA1
37bc437f07aa507572b738edc1e0c16a51e36747

SHA256
d5a78100ebbcd482b5be987eaa572b448015fb644287d25206a07da28eae58f8

SHA512
075417d0845eb54a559bd2dfd8c454a285f430c78822ebe945b38c8d363bc4ccced2c276c8a5dec47f58bb6065b2eac627131a7c60f5ded6e780a2f53d7d4bde

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
e0f93d92ed9b38cab0e69bdbd067ea08

SHA1
065522092674a8192d33dac78578299e38fce206

SHA256
73ad69efeddd3f1e888102487a4e2dc1696ca222954a760297d45571f8d10d31

SHA512
eb8e3e8069ff847b9e8108ad1e9f7bd50aca541fc135fdd2ad440520439e5c856e8d413ea3ad8ba45dc6497ba20d8f881ed83a6b02d438f5d3940e5f47c4725c

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
348KB

MD5
41dd1b11942d8ba506cb0d684eb1c87b

SHA1
4913ed2f899c8c20964fb72d5b5d677e666f6c32

SHA256
bd72594711749a9e4f62baabfadfda5a434f7f38d199da6cc13ba774965f26f1

SHA512
3bb1a1362da1153184c7018cb17a24a58dab62b85a8453371625ce995a44f40b65c82523ef14c2198320220f36aafdade95c70eecf033dd095c3eada9dee5c34

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
87ac4effc3172b757daf7d189584e50d

SHA1
9c55dd901e1c35d98f70898640436a246a43c5e4

SHA256
21b6f7f9ebb5fae8c5de6610524c28cbd6583ff973c3ca11a420485359177c86

SHA512
8dc5a43145271d0a196d87680007e9cec73054b0c3b8e92837723ce0b666a20019bf1f2029ed96cd45f3a02c688f88b5f97af3edc25e92174c38040ead59eefe

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
239B

MD5
1264314190d1e81276dde796c5a3537c

SHA1
ab1c69efd9358b161ec31d7701d26c39ee708d57

SHA256
8341a3cae0acb500b9f494bdec870cb8eb8e915174370d41c57dcdae622342c5

SHA512
a3f36574dce70997943d93a8d5bebe1b44be7b4aae05ed5a791aee8c3aab908c2eca3275f7ce636a230a585d40896dc637be1fb597b10380d0c258afe4e720e9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
508e66e07e31905a64632a79c3cab783

SHA1
ad74dd749a2812b9057285ded1475a75219246fa

SHA256
3b156754e1717c8af7fe4c803bc65611c63e1793e4ca6c2f4092750cc406f8e9

SHA512
2976096580c714fb2eb7d35c9a331d03d86296aa4eb895d83b1d2f812adff28f476a32fca82c429edc8bf4bea9af3f3a305866f5a1ab3bbb4322edb73f9c8888

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallUtil.InstallLog

Filesize
93B

MD5
ec692bae7c900f62a8ef2e956df42025

SHA1
1759e7136c4a0cab11c98c6f9893838067419fb7

SHA256
ea87a2495c6af1610c43759daadf7c345919b52b1c2a83cfd02831aecb415aa3

SHA512
8ecd0aa8d694a5211d8a1fbd4f3fbc889f1c030d5a21f08a98e9bd5b61b1b4e69be4ee9135f7862e3d96688353721e5972f6da6fe80119288d270c15c9fc2470

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
192KB

MD5
dfbdb770e1978ed8be16217b71d088cd

SHA1
5bfdae715d9c66c4616a6b3d1e45e9661a36f2c0

SHA256
04d18ccd404a7b20e5ae3a17ca9a01be54f82b511e349379677e7e62aa6a68b9

SHA512
7d4801250d8449d3fcbf714351fe86d64201ad22ecbfaa91588046bb1ef88f22912a58689876ac7b1f94e83047920893b488589d14accf4570e5c116c667ef12

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2282868306fc8ce1605d267cd733b63c

SHA1
26765e7bc05281dafc44e087057924a08ae9a955

SHA256
d328efac7b9c7e4bd1e35a678b07c1ff6528fbf80106cc0bb7534bbbdef2b520

SHA512
f3573eb4e216a778b1395690b4c8cf72f2963d7371d4a713cdb06fbb8373bbdb39b9c713640dceedb8b91809329a875be373a0eff5fff463b3b714f59840b2c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
984fe920b6a51072dcc9baa7dffbfdb6

SHA1
b40fdf30559ac6ea0301492d961449cd3139eaab

SHA256
ffbd984ae66301f4e32b2fe137ea8084719a93981925bf6f182bb232ca6256cb

SHA512
f3ead664161cc6d89fe984e1ffae9d692f3b0c18af73d24af87543dbd89e63d5c668e28f683bb502096dd66481afd5d8a1535e26fdda3e48d8fe3f0367febd13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d4472994b149149eb01e7ca6ceb8c21

SHA1
6d5d27cb76e02a3de51faf8b25a80a62086993fd

SHA256
4389695562b7defb47f394da62934bd6ff95df9182fac1d1ddfe8d7c6f8b88af

SHA512
5c858ea46d2cb71a140d8f5c2bac61c7b6185ccd3d50901aa2fbefc49650125228516da00a3f32debe8d29199c59b20585b6edf8a3fb05575281e360067a89aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
616d3930cbb33cc5662ee9d64132459a

SHA1
1572c05a7124c520a781b6fd7c27e98e36e545ca

SHA256
e69ad16e37c10f7c1d372127e6b5f5c2ed95542da7196d85654b510b2f79244e

SHA512
272b866031cff9fd85f9fb400c1557d2d5ae2998246bee4272bd3859910df4d4d4c958c05f587ad845b3a2854e0d0a01b4f269dce1920215f4d2531a3940d8b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
860791fac291cea14945af1db5f22596

SHA1
05db8fe01e14dbb587d3637d8785c47e1b8640b7

SHA256
4bf0a073b6744ce1528a58fd5cfe139917e008cc19672d713f97b15c5eabd5fb

SHA512
ca9636b0f2f48fd8af565149d46fa10ea50dbbc4a90e91400774bb402ca51b9e5b2a74919c3b00a417cbd983214cc88438f0aa80e6a1f121f2763bf3b9aa102c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a43a03839d2dbedea822b927a920b354

SHA1
eb56713e401c6b066a4a205bddd411ed8e3d36d4

SHA256
a47f28413c53a57ed6c8c698cf9fea5269dfa7e5d10905b5292be242646c673c

SHA512
7538354d4061ea25ec6afbff2ec3c82ae6c66e2fe6f300296db81b829cd9c731dd60b26a2ce25e0a421d6c0b9d2937cb3f77f95046c2240e844aac4c75d43b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
2668e2a990e1dc920fed4a33ae37fd3c

SHA1
1db8c770bdd68e4a82c2990e752af3b9f65baf37

SHA256
6b6a1267c1cff095df4241df2c44bcc8cfabd83bf7c2ac591ba29d8ea637d046

SHA512
5b7f1b3d37657e7c3be3eddcc36314f9427848c3ac323b1e16dbfb8b058f69eb5ba39233cb50a7f1e1e718590c6d60e7e287502377d80b35281779f6df8809fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4ad5f26bd573bf36f05c9c0a559a6cb1

SHA1
8fc737f033ab714371ec39cad025d305a6750d20

SHA256
d93e9f5698d3d8ce96bc402ac7476cadef78426ba3b310c86267032d2b8d69bd

SHA512
fc7845c8bf202a688edef1c405090a1a569a87fa4f564a565e786cb3eb105b7c0ad8ed57adf15d1352138953eac93576c7e95d4fb7a75b15ad21b17aa6d2d8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d79e50157d942189d7e7c6c4b47b079

SHA1
ee6395fb8e0ac5110f21cf62c76d46ac3e1ee1e9

SHA256
39152413249c7198cad1dedb4193f7fafbf06c7bedb6af863e6579e0322de766

SHA512
c6632b6db101d5ee219dd4f91b747023a8cd500673d0c540cc1515a2fe81214b0c82b0d952f2aa863fb789be130d743cd4ea0a8e7f789475b980b126fb23d944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b19717d2ffd26185eee1e8d5dc70c3c4

SHA1
94a94d6b8a78929b6ac9fa76f9bcdfc179b296d8

SHA256
41fff46f76ce54497db9dad552fcd86b0276c6238193dc5fbf6c675a0d3033fe

SHA512
54a8c5bb27ae53832166f85c6d6d0c6e8033d94ab0c07ae3041b852575310a0756a4140eb0f08e167d245e7e9ad863ac32d6dcf3d9b686c289dc1148cb80f289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
998ddcc744622a1c7c6b53e3087caa5b

SHA1
2ceb9a2a797185f0e89f60f0f4562eaa0b6645c9

SHA256
c24c55d9663fc2a5a46415c224a07158d8da3bd68513d492cbf1c61983a1234e

SHA512
bfb3b5e219f2eba8decc8fe673492593387c73f14c89ab278eba3bb991352c698901f8cbc93399b8e08ac509b590b5e693987d4760353a084f2a4f693589f427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fa6483f4d8b8e7932dd958032439e1ff

SHA1
087a73832142a138c31459741fbfb15409048ba2

SHA256
ab3bb449edce5f4f70bbfd66d7105eed238e0bc11429841ffd4209c33a13a167

SHA512
288bc6f1a48ef8d463e5165b84c91ec5a2f9440a762378e7ef13202605faa771df36d2f745fca3379084ed513834d5791a5a15b2ec8cc174bb1db06171f03408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5744406412ab55dc1ec0dbc3e380878c

SHA1
2d3802620b63c2feb3bcd11c6d0aa2ef188be77c

SHA256
e6bf115f02eb6f5c12b37dc5d674a2bd0cea1202203ba58b1e18db5a2a47ad08

SHA512
3061e67af25bad5eb9af6008931e0f10c11346c8b24b4b364af08b83ae88ad09975400e557a120ca310f40de9fecb2d088dd37b788cd6c9db48c140a790b76f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1ea829e2c80aaa99d8ea69924050f4f1

SHA1
7ff234bf3f37cbf8f8dbc64c779ff500e4506b42

SHA256
6297a2260f213f68bab66418e7c1ce69e46b190ac9ded076aff2ece22dff7136

SHA512
6190d6592507bd991bcc83307c8dff3a3ff3c578bdc582fc5befa3ca169cf2d1a04818bb67dc4542b119ec71dc1610c1b113c7d4e343def28ffdd316a73c2f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3cc2ac11c758c36bb96688ce98290ba

SHA1
f2ff27e9eb0f999ff37e76d92a12750f882ee821

SHA256
608269fa812a67926439050a68b908de61b5f8d04868b496965227b703bc060f

SHA512
2315551dcfd9ed8d0975f96a23191c6ca0efd84a0653ded15a8caea6fcd4ccc2f7a38618046cab3df15cadac4081ef21689d9b8d72d7607897b590af5287d856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
65ef28de287ef1df2ac7ff5ef76e510b

SHA1
ae63fc6d937efacc8ed41a4186e2c18ad749d796

SHA256
53999db8d1b263ec2d2a248bae52f916a7757a9a932bb438603d930a14a2a751

SHA512
2a68111928be3473c0534efea918e423578dcfa010c1bc776ce6bdf2ae9f6698d6b77996257f5e5ddc3d8e586068f5eb50eaf72e6f88b2660e55470eb2dee4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a2b6e011861bc64fb5bbe3ae97b57169439e7375\544b9861-d0eb-4326-98bd-6294c3016c51\index-dir\the-real-index

Filesize
72B

MD5
6e7171fdc4827f27d0f4f10acef947d1

SHA1
0279bd48de3553d17be0b8723fe5c10eca622b6f

SHA256
bf0edfc094a4dd73618b5578bce4f98e4713fb4fbf37d405420258cde4f9343a

SHA512
7b0f399f860e370e5d5520561dcbd6cc9de09ac814a843c311646ecac5d37635e8e8d75a90ba350c590bfcb15a91db605a5c4ce59930151aa368904793314d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a2b6e011861bc64fb5bbe3ae97b57169439e7375\index.txt

Filesize
84B

MD5
8c38b95f254837d7e95dd45eb36cbe13

SHA1
d3689510c8793d56ddc030939aa8e0881e1582b3

SHA256
742c5fb1f0ac88283615b1ebc595aef03e2b1f5d2ae697427ebcdf70c67411e5

SHA512
9a4713bcef39db3144a3765a1b632eb9757e235afbca43e581dba4c458d7c595d52fef92f814fe39f8ecba9aecf436ce33d6281e7a4d5eedcc5b4d0bc73d6fe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fa768a5169645b017ad5534fbbfbd7d4

SHA1
789f4d7130bc4aa68257bc58412a3a7ec5867601

SHA256
34c4ab7517087b8659ed9a7c4d6ceb3c6a2a2882b97470721536b0231c2cc6c2

SHA512
49b97bfb1efe87ed25f04931cdbcd79b124abc22eaf5fd73a30b06397cc28d8e5ad2b751812e6dcfed34a2b0eeb0eb5650fae9d7adbde7944727555529830ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
014f4bc604229461f8f02ef442c159a9

SHA1
8f2e470802c1e18aa8fd6ad80f50616af8565af5

SHA256
46589ddde71675614f14aea81fd6d73d859b84c8046948b1099f5f54a9d5cac2

SHA512
9736f9966d127a306d57a264c2a7bd19fda864bbf5038416d462f611777443819b117583cc1d26397e4e8b8837368d65d63907fef57e1aa195ba9fcdaf7785ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5952aa.TMP

Filesize
538B

MD5
b2aa96a661937ab3854dce2b52bf3e69

SHA1
8814bf9504bf615b12fbb0b91e4888e17bf32b5f

SHA256
650ada1b6293ec9609eef3c700592221ba02db67f1c8c28e0a6efa7ceca3d2be

SHA512
791f1173ab57c081caa91ecd3f8c951213ee47ed8c8a19900a78826b5b85e88ca871b5955cf89697deb79e441119d6e5a6ecb3136ccf77f79c76a214000bcfb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f13313483ca87b8f5e7f735c4ca0ea0

SHA1
d4a1869b1bcbf0d37a1570da09c85797c463a76d

SHA256
550af5a3a1f22d662bf26f6541868b712c82afb5109ae9a92cdb0a157c78f43d

SHA512
c8d3761bb33ef62c02ec41d9b17956a5c99129bc3e1d5bf02c31de5f354dcbe19a27d5f6fbdb8cdb77e210fb305e4cd1d9b3b7e39da97942226b88b0d9041ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97633ae0e937b86a066d619599fcd65a

SHA1
09311baf174365e9c4738f59e2033ee9cebf2543

SHA256
6eec7a66acb96f174a8d0daa08cebe52c9a22c2222929dab1ce7306df375aec2

SHA512
8f584f30f3bcab73c138e8cd1b2012783103df9bfe010fff0ba8a9596a576b81b1f1b3b8288769fcd88a367c3bb6c019fab4b9d5bbae18845ffb93b14d618cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
392e45770e814ddc045f432d5c0f9ffa

SHA1
32e0c4f48b722251ca96d455df6b0b09d143c7b1

SHA256
8513d1fa266e900c120ddea33d5eb397be831ee5bfc3b5290bb3f3825afae6d2

SHA512
4de8768321556fc13a5712f87fe5fc0dc946c658900a03003e4d514a11a11f600ee79e2702ad2ca4d5f5d9380a25a26074db4ad3435fb69920cfd3947ccb2bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
850c15ba3eda3d7b901642067b95cb20

SHA1
60962811df7fdfbb2de30d2775b1d9134d10832c

SHA256
a5160f2b5cd37ddf3afe28b48f01d2a115bd3d2834c07d78bc0dce8a8fbd543a

SHA512
1f317be6919d4c8e08bf335fbc9aa75b0d626f3c0f06abc9e13d88556a733312fdd368bbd30e91934407b06086c98c5bd727c8ab10a3cb514d2d7daca1b0927c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\4c4bd7b2-fdca-4d76-a9cc-72cb4753f650\UnifiedStub-installer.exe\assembly\dl3\2ed1ac12\8bb499bf_730ddb01\rsServiceController.DLL

Filesize
173KB

MD5
068958f78fab4b76e5196051df3af162

SHA1
6f7489e40d3c48b922511622238fdb8383560ac3

SHA256
c3009c36e9353ee749a69b1569efc81b91dc1e7af403c8742787a412a7429aa8

SHA512
8a7daf88049912f00434b0cc239bad4b07682532d96a9f3e30e2f1cdb33e0441e2e7742ab727854f7b9372d4168ebd24af5350b0ee36247719c026e018975e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\4c4bd7b2-fdca-4d76-a9cc-72cb4753f650\UnifiedStub-installer.exe\assembly\dl3\c742c59d\8bb499bf_730ddb01\rsLogger.DLL

Filesize
178KB

MD5
2f2164b351afc5d08420257cd32b9c4e

SHA1
1ea3c935c7c72a94f863e7dbe7dacccd39980970

SHA256
ec54e4f32f3ea10486839080cffb4c13aecf12b278622bf048f5b5fa64c98437

SHA512
949179ceef6995b3c9692110b22cf07fb7f187adbb22a78b15d239b93fc12c461ca1008c3cbc87c62fd68e1482a10710fea40679b3e82a11ca5fdec6df6174fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\4c4bd7b2-fdca-4d76-a9cc-72cb4753f650\UnifiedStub-installer.exe\assembly\dl3\cf09fb3f\8bb499bf_730ddb01\rsJSON.DLL

Filesize
216KB

MD5
7dd406fa2b496d691f866eddc790d6cc

SHA1
692422b46102af2ab31f7902a970c912a2ba000d

SHA256
bd7b33b101f222846b09f057bc54bc586ed5da63fe189e9ab19bcc43ecf85956

SHA512
c8ac9e9491f6695de1d9c3fee1ddbdd0261b8e32928bc228858021851fed501cb6b12adc5dc282e703a1e8efdf372073c1794f202943149e7320831846708979

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\c44faab6-8f7f-480c-98f3-dbdc33432c21\UnifiedStub-installer.exe\assembly\dl3\9a696a39\f6748dc8_730ddb01\rsServiceController.DLL

Filesize
173KB

MD5
860ced15986dbdc0a45faf99543b32f8

SHA1
060f41386085062592aed9c856278096180208de

SHA256
6113bd5364af85fd4251e6fa416a190a7636ac300618af74876200f21249e58a

SHA512
d84a94673a8aa84f35efb1242e20775f6e099f860a8f1fe53ba8d3aebffd842499c7ac4d0088a4cded14bd45dad8534d824c5282668ca4a151ac28617334a823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\c44faab6-8f7f-480c-98f3-dbdc33432c21\UnifiedStub-installer.exe\assembly\dl3\a7bdc866\f22e8fd7_7ce2da01\__AssemblyInfo__.ini

Filesize
176B

MD5
0e19f1034cdca9a2bd846f53f82a6f5e

SHA1
8b3da7b9f0fed83d0a466bdf23fa7fc64159d78e

SHA256
4d423d7d2f0b4a42f74cd559af18b9c8385e87d867111189c9e4a5d966885f28

SHA512
7f25d2d0d79eb38883d1a4f84e6e7bd0ecfa2d8a6098face418321bd96d1d779f537796f00a94851c804f742d9b289e6a2ec4e46bb060a3589ef7350ad79d412

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\ce76be39-7d11-4cb6-a20a-69b2913edf4d\UnifiedStub-installer.exe\assembly\dl3\64159adb\295d50b1_730ddb01\rsServiceController.DLL

Filesize
183KB

MD5
4f7ae47df297d7516157cb5ad40db383

SHA1
c95ad80d0ee6d162b6ab8926e3ac73ac5bd859a3

SHA256
e916df4415ae33f57455e3ea4166fbb8fbe99eeb93a3b9dcab9fe1def45e56ed

SHA512
4398652b53b8d8c8bac584f83d5869985d32fa123f0e976ef92f789b1f7116572a15d0bb02be3fbc80ed326cfb18eea80fec03ee20ed261e95daa4e91e61c65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\ce76be39-7d11-4cb6-a20a-69b2913edf4d\UnifiedStub-installer.exe\assembly\dl3\943e1814\295d50b1_730ddb01\rsJSON.DLL

Filesize
221KB

MD5
e3a81be145cb1dc99bb1c1d6231359e8

SHA1
e58f83a32fe4b524694d54c5e9ace358da9c0301

SHA256
ee938d09bf75fc3c77529ccd73f750f513a75431f5c764eca39fdbbc52312437

SHA512
349802735355aac566a1b0c6c779d6e29dfd1dc0123c375a87e44153ff353c3bfc272e37277c990d0b7e24502d999804e5929ddc596b86e209e6965ffb52f33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\ce76be39-7d11-4cb6-a20a-69b2913edf4d\UnifiedStub-installer.exe\assembly\dl3\a8a0c57e\6b3649b1_730ddb01\rsAtom.DLL

Filesize
171KB

MD5
de22fe744074c51cf3cf1128fcd349cb

SHA1
f74ecb333920e8f2785e9686e1a7cce0110ab206

SHA256
469f983f68db369448aa6f81fd998e3bf19af8bec023564c2012b1fcc5c40e4b

SHA512
5d3671dab9d6d1f40a9f8d27aeea0a45563898055532f6e1b558100bed182c69e09f1dfd76574cb4ed36d7d3bb6786eff891d54245d3fab4f2ade3fe8f540e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\ce76be39-7d11-4cb6-a20a-69b2913edf4d\UnifiedStub-installer.exe\assembly\dl3\ef58cf7a\295d50b1_730ddb01\rsLogger.DLL

Filesize
183KB

MD5
54ff6dfafb1ee7d42f013834312eae41

SHA1
7f30c2ffb6c84725d90ce49ca07eb4e246f2b27b

SHA256
ef5ce90acf6eb5196b6ba4a24db00d17c83b4fbd4adfa1498b4df8ed3bf0bd0c

SHA512
271f1203ee1bacac805ab1ffa837cad3582c120cc2a1538610364d14ffb4704c7653f88a9f1cccf8d89a981caa90a866f9b95fb12ed9984a56310894e7aae2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS802F2C1A\uninstall-epp.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{E8F5B1D4-A172-4DB5-8029-5E4C5A8C7A2D}\ADDRESSES.TMP.FILETEST

Filesize
28B

MD5
b6d520474c5e852738d57bd6249b22b6

SHA1
c0511c70f85357ae6011b46a55ab51d15d114502

SHA256
029e56ad5c2da0b8f305c3c2ad73204822e5f64e1aaea803bfd3fbc57bd47e91

SHA512
b2807d55711acf86adc2b347f5edca567e84c9be2c2da48d68788b8cb30a991584d9a626b2af40a72c632625b05c62a8647e0edc119717b85b63d2224f5e41da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-211IO.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4J4U7.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
349c57b17c961abbe59730d3cc5614b2

SHA1
32278b8621491e587a08f0764501b8b8314fd94c

SHA256
de28f1f10d5136dc5b30ccb73750559cca91720533717e9398ee45a44c75481b

SHA512
54d54d8b682c8cf9b06452a493e96307bfd9b8193f21e8eb5e89ad4420e1f6e066cf8bdeb70444ebcf2297520a4716ae1910124f21cab98e012f0fd19783c1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\logo.png

Filesize
246KB

MD5
f3d1b8cd125a67bafe54b8f31dda1ccd

SHA1
1c6b6bf1e785ad80fc7e9131a1d7acbba88e8303

SHA256
21dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf

SHA512
c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\prod0.exe

Filesize
32KB

MD5
aab5153488e10c829b197665002585f3

SHA1
30375941512ca63816c2b5b6f12d45528f47fd59

SHA256
4856188186f02af5bec77065ccdb7684c19ff91af51d01e039576ad21824593e

SHA512
49cdecd61ed25289a5f36c7a7dd6ae7fc0492f0c520d42f7e58bbd9120c92da3049833cc8e6add70d17d606902b708eac8c6070f3f69b8b2373eaadf0f820f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-828RL.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A1LK0.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yz2dadiu.exe

Filesize
2.4MB

MD5
d51f496505b91a28b2916626cd03529e

SHA1
710a635eb4953ae3d7b968c7b29b1b8296713728

SHA256
468f779790a38e61d70db9a4b422917101df847e120d8b1308d1528a89cbf201

SHA512
bd9f3588989a8f3b7490434befdfdc041c23b55dc88981f084b4a030eb9271344612845d7cf704b3f17fe1bfa65b433099880cd4f4ea59b602791381fd03e41f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\47a79f6c-6ab4-477a-9285-10366084199b.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\814b620b-ac18-4c15-81b2-c6cf5bdbe58f.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\Network Persistent State

Filesize
300B

MD5
a5dd7b4dfa181fd8b3b4811b0b62c278

SHA1
14c819d31b2eda57e741b588cd38d333a02e569a

SHA256
95a734f886de9dc892e675a18b1d270cfa1d6a9b61b4ea91d32a0b1395e9c4db

SHA512
e35613191e8822c8c0d150c3eea9d755e0420de33a9d663f72cac033e2435f7677b03d225f48c8c7d6e1d3191bd97c1671aff3960ff9c646361e9bd678655998

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Partitions\plan-picker_5.40.1\Network\Network Persistent State

Filesize
300B

MD5
1d5572f840427280279cc54e6d36f6ef

SHA1
1a91f0ef168019dcdea9241353b61efd6db932ac

SHA256
f19fff9c0a355c820d4e07d2527941658f76b28412bc61300e2e7060c9e2afa6

SHA512
39e3b96bbc6af7cb7dbcc0c08751d109c1ceb03d506d75630cc21fca77686349e81685f033f72b97a3533ea37b2e3c4198d306d062bdcbd4cbc8f41442cec5d1

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Network\Network Persistent State

Filesize
500B

MD5
eb717f61b002d83284b73e50355ca6d7

SHA1
88741b96aea0b30ac48259ee78d678d2ff45873b

SHA256
525ee4e9ff60e1d6f1ee76ca5c3771e5679b746d8c3a44847ecc5c2e236fa524

SHA512
71c5d104368674c347b8182ddb88fa1086dde288a327ef987c61b7be037a4a6b603c6390759768b2912c59a926a7d3c45bda1f011113e27bd553c669b3d2260e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.18.0\Network\Network Persistent State

Filesize
500B

MD5
2d177bb919a7c75bde6f21bdf715842a

SHA1
cef3ccf7fa1337c3782c2b8aa9cc50973ca5af84

SHA256
37cadd1229d5492d489941831220e8d33cf0d7f45a6622887bd5f14d9d697ce2

SHA512
48d7aad9ce1ba1bd393e51b894c7b9215257080c0d1d6834ef0965336e991199809376b95b1887da0bdf970ad80ee2aff964bf2b59a9365a228858cbcdc708e1

Download Submit
C:\Users\Admin\Downloads\CheatEngine75.exe

Filesize
28.6MB

MD5
e703b8ac5b3601deebbf05843c9a4e97

SHA1
ab154e32099776e432b4d2c31366985f27950cf1

SHA256
fe6c0d8f90c9c74f2986fe169342e0a5319a3b1ffcf711b513f33db7e28e863a

SHA512
8280af1c2455b37c13de60f1d4a4ab26fe7d03bed7f874b074afb4ae365f2380aa71525e7e649e924347c38efd601dd3a6b7924f56aa6c09932f24b5c2f03c65

Download Submit
C:\Users\Admin\Downloads\game.CT

Filesize
1KB

MD5
cc5fa300379c654006857f0937fd0c81

SHA1
a63de386771df6e5dfa63d9e9e41eaf0b5dc7c6c

SHA256
6cf5c53f885f8a207de6e90628b239042ecf9510caca4b1acad383bc3f1495e5

SHA512
1e2973de1a1a9323f430af04d01156b80d0fe5d0f870b90fa40a4dcd6f076ab6c13565065bd0cbe2804175710f15559ccc9f7c64f2d64f7b6d364c0c234d5f95

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0E663C78920A8217B4CBE3D45E3E6236_75C1BD04B8F3DBF3882A89F51074A729

Filesize
2KB

MD5
9d7d38757f59544e5f644dceefa42a2f

SHA1
a6e3e66789f8cde7c49212eff1b7d614e5fa771c

SHA256
6a46b95fabe140888909f4f6ed908c094146f61f48a619d643ae60f14c5f2075

SHA512
41916b14b1c4f337d75b396158009f67e072a2fd17f4d42cc5a89200b744b68e60f3ab92176e3eea2f11ab96cd813ef96a795a3cfef88aa03f95b94ec9deb702

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD96F9183ADE69B6DF458457F594566C_48BDF541C9BF1B2BAD41358CD874DC4B

Filesize
2KB

MD5
e13ecfcd5bb2a87986cfde28332a16bb

SHA1
caecdce283f141ad14e61aa10f41d69fb7d2946e

SHA256
60b03b9fa3887169ce961961288950c7f54ac7845aab706e0c7190bd9dd21ab5

SHA512
05e7bc456ebe622ab38fde66c8a9521a1a7b70999e0d44f2818325c3301e58d3d63ce0b77e0bdc73a8a7086112d2da8893c4318183ff28a3e06a378b8ef2e8a7

Download Submit
memory/1012-634-0x0000017C254B0000-0x0000017C259D8000-memory.dmp

Filesize
5.2MB

Download
memory/1012-633-0x0000017C0ABD0000-0x0000017C0ABD8000-memory.dmp

Filesize
32KB

Download
memory/2200-521-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2200-572-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2612-1941-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1913-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1937-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1943-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1907-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1903-0x000001CA301E0000-0x000001CA30238000-memory.dmp

Filesize
352KB

Download
memory/2612-1911-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1929-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1915-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1917-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1919-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1921-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1923-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1925-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1927-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1931-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1933-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1935-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1939-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-5739-0x000001CA2F5E0000-0x000001CA2F60E000-memory.dmp

Filesize
184KB

Download
memory/2612-1905-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1904-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1909-0x000001CA301E0000-0x000001CA30235000-memory.dmp

Filesize
340KB

Download
memory/2612-1869-0x000001CA2FFF0000-0x000001CA30040000-memory.dmp

Filesize
320KB

Download
memory/2612-3582-0x000001CA30240000-0x000001CA3027A000-memory.dmp

Filesize
232KB

Download
memory/2612-4382-0x000001CA2F340000-0x000001CA2F38E000-memory.dmp

Filesize
312KB

Download
memory/2612-5721-0x000001CA2F420000-0x000001CA2F458000-memory.dmp

Filesize
224KB

Download
memory/2612-3614-0x000001CA302F0000-0x000001CA30320000-memory.dmp

Filesize
192KB

Download
memory/2612-800-0x000001CA2FE00000-0x000001CA2FE58000-memory.dmp

Filesize
352KB

Download
memory/2612-795-0x000001CA171E0000-0x000001CA1720E000-memory.dmp

Filesize
184KB

Download
memory/2612-780-0x000001CA171B0000-0x000001CA171D2000-memory.dmp

Filesize
136KB

Download
memory/2612-779-0x000001CA17250000-0x000001CA17302000-memory.dmp

Filesize
712KB

Download
memory/2612-777-0x000001CA17150000-0x000001CA17180000-memory.dmp

Filesize
192KB

Download
memory/2612-773-0x000001CA15330000-0x000001CA1543C000-memory.dmp

Filesize
1.0MB

Download
memory/2612-775-0x000001CA170F0000-0x000001CA17136000-memory.dmp

Filesize
280KB

Download
memory/2612-3593-0x000001CA30140000-0x000001CA30170000-memory.dmp

Filesize
192KB

Download
memory/2612-5728-0x000001CA2F420000-0x000001CA2F450000-memory.dmp

Filesize
192KB

Download
memory/2612-5735-0x000001CA2F4D0000-0x000001CA2F4FA000-memory.dmp

Filesize
168KB

Download
memory/2612-3603-0x000001CA30140000-0x000001CA3016E000-memory.dmp

Filesize
184KB

Download
memory/3836-604-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3836-578-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4288-1418-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4300-648-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4300-1497-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4300-592-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/4300-577-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/4300-579-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4300-571-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/4300-607-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4300-1424-0x0000000003670000-0x00000000037B0000-memory.dmp

Filesize
1.2MB

Download
memory/4892-639-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4892-1419-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5052-605-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5052-573-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5052-523-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5860-4014-0x00000147AFEC0000-0x00000147AFEE6000-memory.dmp

Filesize
152KB

Download
memory/5860-4017-0x00000147CA680000-0x00000147CA704000-memory.dmp

Filesize
528KB

Download
memory/5860-4016-0x00000147CA5C0000-0x00000147CA5E8000-memory.dmp

Filesize
160KB

Download
memory/5860-4015-0x00000147CA330000-0x00000147CA35C000-memory.dmp

Filesize
176KB

Download
memory/5952-3680-0x0000023626E20000-0x0000023626E7A000-memory.dmp

Filesize
360KB

Download
memory/5952-3679-0x00000236251E0000-0x000002362522A000-memory.dmp

Filesize
296KB

Download
memory/5952-3706-0x000002363FBC0000-0x000002363FE18000-memory.dmp

Filesize
2.3MB

Download
memory/5952-3692-0x000002363F820000-0x000002363F864000-memory.dmp

Filesize
272KB

Download
memory/5952-3682-0x00000236251E0000-0x000002362522A000-memory.dmp

Filesize
296KB

Download
memory/5952-3681-0x0000023626DE0000-0x0000023626E08000-memory.dmp

Filesize
160KB

Download
memory/6564-3674-0x000002066B980000-0x000002066BCE6000-memory.dmp

Filesize
3.4MB

Download
memory/6564-3676-0x000002066B630000-0x000002066B64A000-memory.dmp

Filesize
104KB

Download
memory/6564-3675-0x000002066BCF0000-0x000002066BE6C000-memory.dmp

Filesize
1.5MB

Download
memory/6564-3677-0x000002066B680000-0x000002066B6A2000-memory.dmp

Filesize
136KB

Download
memory/7000-3639-0x0000022F10EB0000-0x0000022F10EDE000-memory.dmp

Filesize
184KB

Download
memory/7000-3653-0x0000022F12A80000-0x0000022F12A92000-memory.dmp

Filesize
72KB

Download
memory/7000-3640-0x0000022F10EB0000-0x0000022F10EDE000-memory.dmp

Filesize
184KB

Download
memory/7000-3654-0x0000022F12B20000-0x0000022F12B5C000-memory.dmp

Filesize
240KB

Download
memory/7656-3837-0x000002251DD40000-0x000002251DF00000-memory.dmp

Filesize
1.8MB

Download
memory/7656-3840-0x00000225035B0000-0x00000225035DA000-memory.dmp

Filesize
168KB

Download
memory/7656-3835-0x00000225035B0000-0x00000225035DA000-memory.dmp

Filesize
168KB

Download
memory/7952-3940-0x000002547B200000-0x000002547B208000-memory.dmp

Filesize
32KB

Download
memory/7952-3929-0x000002547A020000-0x000002547A028000-memory.dmp

Filesize
32KB

Download
memory/7952-3871-0x0000025478550000-0x000002547857E000-memory.dmp

Filesize
184KB

Download
memory/7952-3909-0x0000025478990000-0x0000025478A42000-memory.dmp

Filesize
712KB

Download
memory/7952-3923-0x0000025478E80000-0x0000025479170000-memory.dmp

Filesize
2.9MB

Download
memory/7952-3925-0x0000025478D90000-0x0000025478DEE000-memory.dmp

Filesize
376KB

Download
memory/7952-3927-0x0000025479170000-0x0000025479186000-memory.dmp

Filesize
88KB

Download
memory/7952-3928-0x0000025478E10000-0x0000025478E1A000-memory.dmp

Filesize
40KB

Download
memory/7952-3930-0x000002547A030000-0x000002547A03A000-memory.dmp

Filesize
40KB

Download
memory/7984-3918-0x0000021379970000-0x0000021379A22000-memory.dmp

Filesize
712KB

Download
memory/7984-3838-0x0000021378E10000-0x0000021378E34000-memory.dmp

Filesize
144KB

Download
memory/7984-4019-0x000002137C1D0000-0x000002137C1F4000-memory.dmp

Filesize
144KB

Download
memory/7984-3926-0x000002137B560000-0x000002137BB04000-memory.dmp

Filesize
5.6MB

Download
memory/7984-4018-0x0000021379B20000-0x0000021379B28000-memory.dmp

Filesize
32KB

Download
memory/7984-3924-0x0000021379A30000-0x0000021379A96000-memory.dmp

Filesize
408KB

Download
memory/7984-3933-0x000002137B230000-0x000002137B4B0000-memory.dmp

Filesize
2.5MB

Download
memory/7984-3922-0x00000213791C0000-0x00000213791EA000-memory.dmp

Filesize
168KB

Download
memory/7984-3919-0x00000213798B0000-0x00000213798E4000-memory.dmp

Filesize
208KB

Download
memory/7984-3937-0x0000021379F40000-0x0000021379F68000-memory.dmp

Filesize
160KB

Download
memory/7984-3915-0x0000021378E40000-0x0000021378E66000-memory.dmp

Filesize
152KB

Download
memory/7984-3914-0x0000021379200000-0x000002137923A000-memory.dmp

Filesize
232KB

Download
memory/7984-3934-0x0000021379930000-0x0000021379962000-memory.dmp

Filesize
200KB

Download
memory/7984-3901-0x0000021379150000-0x00000213791B6000-memory.dmp

Filesize
408KB

Download
memory/7984-3900-0x0000021379B40000-0x0000021379DC6000-memory.dmp

Filesize
2.5MB

Download
memory/7984-3935-0x00000213798F0000-0x00000213798F8000-memory.dmp

Filesize
32KB

Download
memory/7984-3870-0x0000021379020000-0x000002137906F000-memory.dmp

Filesize
316KB

Download
memory/7984-3869-0x0000021379540000-0x00000213798A9000-memory.dmp

Filesize
3.4MB

Download
memory/7984-3868-0x0000021379080000-0x00000213790DE000-memory.dmp

Filesize
376KB

Download
memory/7984-3867-0x0000021377DF0000-0x0000021377E20000-memory.dmp

Filesize
192KB

Download
memory/7984-3853-0x0000021379290000-0x0000021379538000-memory.dmp

Filesize
2.7MB

Download
memory/7984-3936-0x0000021379F10000-0x0000021379F36000-memory.dmp

Filesize
152KB

Download
memory/7984-3839-0x0000021378E70000-0x0000021378E96000-memory.dmp

Filesize
152KB

Download
memory/7984-3932-0x0000021379AA0000-0x0000021379AE2000-memory.dmp

Filesize
264KB

Download
memory/7984-4012-0x000002137BD60000-0x000002137BD88000-memory.dmp

Filesize
160KB

Download
memory/7984-3836-0x0000021378A70000-0x0000021378A98000-memory.dmp

Filesize
160KB

Download
memory/7984-3833-0x0000021378870000-0x000002137889E000-memory.dmp

Filesize
184KB

Download
memory/7984-4006-0x000002137BD30000-0x000002137BD58000-memory.dmp

Filesize
160KB

Download
memory/7984-3714-0x0000021378A30000-0x0000021378A62000-memory.dmp

Filesize
200KB

Download
memory/7984-3713-0x0000021378F30000-0x0000021378FA8000-memory.dmp

Filesize
480KB

Download
memory/7984-3712-0x0000021377F00000-0x0000021377F2A000-memory.dmp

Filesize
168KB

Download
memory/7984-3711-0x0000021378EA0000-0x0000021378F28000-memory.dmp

Filesize
544KB

Download
memory/7984-3710-0x0000021378830000-0x0000021378868000-memory.dmp

Filesize
224KB

Download
memory/7984-4004-0x000002137CAE0000-0x000002137CB34000-memory.dmp

Filesize
336KB

Download
memory/7984-3998-0x000002137BFD0000-0x000002137C0D0000-memory.dmp

Filesize
1024KB

Download
memory/7984-3988-0x000002137BCD0000-0x000002137BCFA000-memory.dmp

Filesize
168KB

Download
memory/7984-3978-0x000002137BE50000-0x000002137BFC6000-memory.dmp

Filesize
1.5MB

Download
memory/7984-3972-0x000002137B520000-0x000002137B54C000-memory.dmp

Filesize
176KB

Download
memory/7984-3962-0x000002137BC10000-0x000002137BC44000-memory.dmp

Filesize
208KB

Download
memory/7984-3958-0x000002137B190000-0x000002137B1BA000-memory.dmp

Filesize
168KB

Download
memory/7984-3951-0x000002137BC70000-0x000002137BCC4000-memory.dmp

Filesize
336KB

Download
memory/7984-3944-0x000002137BB90000-0x000002137BC06000-memory.dmp

Filesize
472KB

Download
memory/7984-3943-0x000002137BB10000-0x000002137BB90000-memory.dmp

Filesize
512KB

Download
memory/7984-3942-0x000002137B4B0000-0x000002137B518000-memory.dmp

Filesize
416KB

Download
memory/7984-3941-0x000002137B160000-0x000002137B18C000-memory.dmp

Filesize
176KB

Download
memory/7984-3939-0x000002137B120000-0x000002137B152000-memory.dmp

Filesize
200KB

Download