cobaltstrike | 8028313f8ccc23c6cb1b07927d5e3a5e5aff66f36f2ce67be49cb96372722d76

Resubmissions

24-01-2025 23:14

250124-27yspavnbr 7

24-01-2025 23:02

250124-21dtyavkap 10

19-01-2025 16:29

250119-tzgv7swkcv 10

Analysis

max time kernel
205s
max time network
225s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiveMHackV2.exe
Size

26.2MB
MD5

0a80c7be4e77b4b2f9e580c26a0b5d13
SHA1

7525eaf2118d893c6a73fa5471f6adea4e75e164
SHA256

8028313f8ccc23c6cb1b07927d5e3a5e5aff66f36f2ce67be49cb96372722d76
SHA512

362cb3f5306cb978bc7d8e7240023c9f859a9907a07b03df4756ea48b02c0b68ddf751719b13027bd2447d9b2d1d598e210c744c4b4e1bcc11d9d17b783a1169
SSDEEP

786432:SKP9F8JjEdm7SJtWqwkd7q+XlR43OnDgUd4Z+c:P7qEdm7SHWqwGxXX43cDgUd4ZV

Score

10^/10

cobaltstrike latentbot njrat backdoor defense_evasion discovery execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

latentbot

nikomklkahba.zapto.org

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023d57-9389.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0008000000023d58-9393.dat	disable_win_def

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot
Njrat family
njrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 7880 created 7584	7880	WerFaultSecure.exe	198

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 5 IoCs

flow	pid	Process
46	2164	saBSI.exe
65	808	setup.exe
40	2736	CheatEngine75.tmp
47	4236	prod2.exe
15	2736	CheatEngine75.tmp

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsDwf.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4744	netsh.exe
1672	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Tutorial-x86_64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsVPNSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	FiveM Hack V1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CheatEngine75.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	prod2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	UIHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	cheatengine-x86_64-SSE4-AVX2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Rename_Z60IHLDjO6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	FiveMHackV2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Cheat Engine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Client.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ce4232fc398063865fce10fcca4f582.exe	Windows Services.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ce4232fc398063865fce10fcca4f582.exe	Windows Services.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aa238bbbf6c461548a622535aabe462.exe	Windows Defender.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aa238bbbf6c461548a622535aabe462.exe	Windows Defender.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
3644	FiveM Hack V1.exe
4184	CheatEngine75.exe
2736	CheatEngine75.tmp
2164	saBSI.exe
4112	OperaSetup.exe
4236	prod2.exe
808	setup.exe
1480	setup.exe
220	CheatEngine75.exe
3860	i0jncbrq.exe
812	setup.exe
2936	CheatEngine75.tmp
2900	setup.exe
4592	UnifiedStub-installer.exe
5028	setup.exe
4244	installer.exe
2332	installer.exe
4384	rsSyncSvc.exe
2684	rsSyncSvc.exe
1160	_setup64.tmp
5540	ServiceHost.exe
100	UIHost.exe
5536	Kernelmoduleunloader.exe
6052	windowsrepair.exe
6376	Cheat Engine.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6876	updater.exe
1464	Client.exe
6556	Assistant_116.0.5366.21_Setup.exe_sfx.exe
1904	assistant_installer.exe
5364	assistant_installer.exe
6300	Cheat Engine.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
6140	Windows Services.exe
6032	Setup.exe
6228	Windows Defender.exe
4148	Rename_Z60IHLDjO6.exe
6760	rsWSC.exe
8056	Tutorial-x86_64.exe
6436	rsWSC.exe
7896	rsClientSvc.exe
7980	rsClientSvc.exe
8028	rsEngineSvc.exe
7584	rsEngineSvc.exe
5420	rsEDRSvc.exe
4344	rsEDRSvc.exe
3696	rsVPNClientSvc.exe
3336	rsVPNClientSvc.exe
6940	rsVPNSvc.exe
7472	rsVPNSvc.exe
7484	rsHelper.exe
6736	VPN.exe
6280	rsAppUI.exe
6048	rsAppUI.exe
1620	rsAppUI.exe
6520	rsAppUI.exe
7560	rsAppUI.exe
7332	EPP.exe
2984	rsAppUI.exe
5008	rsAppUI.exe
7296	rsAppUI.exe
5176	rsAppUI.exe
6760	rsDNSClientSvc.exe
8284	rsDNSClientSvc.exe

Loads dropped DLL 64 IoCs

pid	Process
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
808	setup.exe
1480	setup.exe
812	setup.exe
2900	setup.exe
5028	setup.exe
2332	installer.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
100	UIHost.exe
100	UIHost.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
6680	cheatengine-x86_64-SSE4-AVX2.exe
1904	assistant_installer.exe
1904	assistant_installer.exe
5364	assistant_installer.exe
5364	assistant_installer.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
4592	UnifiedStub-installer.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
4592	UnifiedStub-installer.exe
4148	Rename_Z60IHLDjO6.exe
7584	rsEngineSvc.exe
4344	rsEDRSvc.exe
4592	UnifiedStub-installer.exe
7472	rsVPNSvc.exe
7584	rsEngineSvc.exe
7584	rsEngineSvc.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6048	rsAppUI.exe
6048	rsAppUI.exe
6048	rsAppUI.exe
6048	rsAppUI.exe
6048	rsAppUI.exe
1620	rsAppUI.exe
6520	rsAppUI.exe
7560	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
5008	rsAppUI.exe
5008	rsAppUI.exe
5008	rsAppUI.exe
5008	rsAppUI.exe
5008	rsAppUI.exe
7296	rsAppUI.exe
5176	rsAppUI.exe
4592	UnifiedStub-installer.exe
8376	rsDNSSvc.exe
7284	rsDNSResolver.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3652	icacls.exe
6032	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ce4232fc398063865fce10fcca4f582 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Services.exe\" .."	Windows Services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ce4232fc398063865fce10fcca4f582 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Services.exe\" .."	Windows Services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4aa238bbbf6c461548a622535aabe462 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4aa238bbbf6c461548a622535aabe462 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender.exe\" .."	Windows Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\F:	rsEngineSvc.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\F:	rsEDRSvc.exe

Modifies powershell logging option 1 TTPs
defense_evasion

Modify Registry
T1112

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023d57-9389.dat	autoit_exe
behavioral2/files/0x0009000000023d59-9413.dat	autoit_exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	rsEDRSvc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\49855FCDFA62840A2838AEF1EFAC3C9B	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48B35517638A85CA46010B026C2B955A_0E2607AD9B9E618A16D313BC98EDE832	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ole32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\version.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\MSCTF.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\hhctrl.ocx	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\GDI32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\msvcrt.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\clbcatq.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\sechost.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\SHLWAPI.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\comdlg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\wsock32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_4B060B7AC437F3D4D78568D3A1F5E3D1	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\117308CCCD9C93758827D7CC85BB135E	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\win32u.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_E3A0B2E345AA9F5A174687564C886046	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\imm32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_96B11076AA4494A4A6143129F61AEC8B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_72BCADB7EE100ECA692C6EC1A866B75B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA0E447C3E79584EC91182C66BBD2DB7	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\ucrtbase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\apphelp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\RPCRT4.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\psapi.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\uxtheme.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\gdi32full.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\wininet.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\PROPSYS.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_607A58EEE9CB7145B2928F6E2D210D0B	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe
File opened for modification	C:\Windows\SYSTEM32\Wldp.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\ws2_32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\msimg32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\kernel.appcore.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\bcryptPrimitives.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_2CDE88B3CC9A35A2EA16DC0201366139	rsEDRSvc.exe
File opened for modification	C:\Windows\System32\combase.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\SYSTEM32\GLU32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_E93D4349D1D2AF4AE2F3CBFF382A5C9D	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_6E4F36431D86962EFD432400DF65AC90	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\explorerframe.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48B35517638A85CA46010B026C2B955A_0E2607AD9B9E618A16D313BC98EDE832	rsEDRSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\rsVPNSvc\WireGuard\log.bin	rsVPNSvc.exe
File opened for modification	C:\Windows\System32\oleaut32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\advapi32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\System32\shell32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\38D10539991D1B84467F968981C3969D_3A58CFC115108405B8F1F6C1914449B7	rsEDRSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\data_collector.js	ServiceHost.exe
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\SDK\is-BRJ6I.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsTime.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\System.Threading.Thread.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.ObjectModel.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\providers\yahoo.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-zh-TW.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\CoreUIComponents.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\nps\info-16.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\priorityqueue.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\new-tab-toasts.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-da-DK.js	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Runtime.Numerics.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\webadvisor.ico	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\registry.js	ServiceHost.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\dll\Kernel.Appcore.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\aviary_client.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp1529572394\wa-ui-install.js	installer.exe
File created	C:\Program Files\McAfee\Temp1529572394\jslang\wa-res-install-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\mwb\mwbhandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-nl-NL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-zh-TW.js	installer.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\autorun\dlls\DotNetInterface.dll	CheatEngine75.tmp
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-sv-SE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-tr-TR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-pl-PL.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\include\winapi\is-HPO25.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Mono\is-3JUHS.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\Cheat Engine 7.5\symbols\dll\comdlg32.pdb	cheatengine-x86_64-SSE4-AVX2.exe
File created	C:\Program Files\McAfee\Temp1529572394\wa_logo3.png	installer.exe
File created	C:\Program Files\ReasonLabs\VPN\WireGuard\amd64\VpnHostService.exe	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.ReaderWriter.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\ReasonLabs\DNS\InstallUtil.InstallLog	rsDNSSvc.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Threading.Thread.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\tests_logic.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-ja-JP.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\is-18P01.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-46PE7.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\data_collector.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp1529572394\webadvisor.ico	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\TraceReloggerLib.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\it\Microsoft.Win32.TaskScheduler.resources.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\amd64\vcruntime140.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-sk-SK.js	installer.exe
File created	C:\Program Files\Cheat Engine 7.5\plugins\c# template\CEPluginLibrary\bin\Release\is-7OUMP.tmp	CheatEngine75.tmp
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Console.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngineSvc.Externals.RPC.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\DNS\System.Xml.XPath.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-tr-TR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\hr.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\x64\rsJournal-x64.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\VPN\DotRas.dll	UnifiedStub-installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\csp_client.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-ru-RU.js	installer.exe
File created	C:\Program Files\ReasonLabs\DNS\rsDNSSvc.RPC.RPCClient.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-window.png	installer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll	cheatengine-x86_64-SSE4-AVX2.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
10012	sc.exe
10176	sc.exe
9016	sc.exe
624	sc.exe
4264	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i0jncbrq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_116.0.5366.21_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsrepair.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat Engine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	rsEDRSvc.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	rsEDRSvc.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rsEDRSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rsEDRSvc.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rsEDRSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rsVPNSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsEngineSvc.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER\ = "CheatEngine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CETRAINER	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\ = "Cheat Engine"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell\open\command\ = "\"C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe\" \"%1\""	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CT\ = "CheatEngine"	CheatEngine75.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\shell	CheatEngine75.tmp

Modifies system certificate store 2 TTPs 29 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf50f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f1030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ServiceHost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ServiceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsEDRSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	102	Cheat Engine 7.5 : luascript-ceshare
HTTP User-Agent header	102	Cheat Engine 7.5 : luascript-CEVersionCheck
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2736	CheatEngine75.tmp
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2164	saBSI.exe
2936	CheatEngine75.tmp
2936	CheatEngine75.tmp
4592	UnifiedStub-installer.exe
4592	UnifiedStub-installer.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe
5540	ServiceHost.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
2776	fltmc.exe
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	prod2.exe
Token: SeDebugPrivilege	4592	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	4592	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	4592	UnifiedStub-installer.exe
Token: SeDebugPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreatePagefilePrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeShutdownPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeRestorePrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeIncBasePriorityPrivilege	6680	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeDebugPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTcbPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLoadDriverPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreateGlobalPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeLockMemoryPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeSecurityPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeTakeOwnershipPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeManageVolumePrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeBackupPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeCreatePagefilePrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeShutdownPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeRestorePrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: 33	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeIncBasePriorityPrivilege	5912	cheatengine-x86_64-SSE4-AVX2.exe
Token: SeDebugPrivilege	4592	UnifiedStub-installer.exe
Token: SeDebugPrivilege	6140	Windows Services.exe
Token: 33	6140	Windows Services.exe
Token: SeIncBasePriorityPrivilege	6140	Windows Services.exe
Token: SeSecurityPrivilege	1632	wevtutil.exe
Token: SeBackupPrivilege	1632	wevtutil.exe
Token: SeLoadDriverPrivilege	2776	fltmc.exe
Token: SeSecurityPrivilege	5392	wevtutil.exe
Token: SeBackupPrivilege	5392	wevtutil.exe
Token: SeDebugPrivilege	6760	rsWSC.exe
Token: SeDebugPrivilege	6436	rsWSC.exe
Token: SeDebugPrivilege	8028	rsEngineSvc.exe
Token: SeDebugPrivilege	8028	rsEngineSvc.exe
Token: SeDebugPrivilege	8028	rsEngineSvc.exe
Token: SeBackupPrivilege	8028	rsEngineSvc.exe
Token: SeRestorePrivilege	8028	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	8028	rsEngineSvc.exe
Token: SeDebugPrivilege	6228	Windows Defender.exe
Token: 33	6228	Windows Defender.exe
Token: SeIncBasePriorityPrivilege	6228	Windows Defender.exe
Token: SeDebugPrivilege	7584	rsEngineSvc.exe
Token: SeDebugPrivilege	7584	rsEngineSvc.exe
Token: SeDebugPrivilege	7584	rsEngineSvc.exe
Token: SeBackupPrivilege	7584	rsEngineSvc.exe
Token: SeRestorePrivilege	7584	rsEngineSvc.exe
Token: SeLoadDriverPrivilege	7584	rsEngineSvc.exe
Token: SeDebugPrivilege	4344	rsEDRSvc.exe
Token: SeShutdownPrivilege	4592	UnifiedStub-installer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2736	CheatEngine75.tmp
2936	CheatEngine75.tmp
6680	cheatengine-x86_64-SSE4-AVX2.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
6280	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
2984	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
5212	rsAppUI.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe
7252	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6300	Cheat Engine.exe
5912	cheatengine-x86_64-SSE4-AVX2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 3644	4520	FiveMHackV2.exe	83
PID 4520 wrote to memory of 3644	4520	FiveMHackV2.exe	83
PID 3644 wrote to memory of 4184	3644	FiveM Hack V1.exe	85
PID 3644 wrote to memory of 4184	3644	FiveM Hack V1.exe	85
PID 3644 wrote to memory of 4184	3644	FiveM Hack V1.exe	85
PID 4184 wrote to memory of 2736	4184	CheatEngine75.exe	86
PID 4184 wrote to memory of 2736	4184	CheatEngine75.exe	86
PID 4184 wrote to memory of 2736	4184	CheatEngine75.exe	86
PID 2736 wrote to memory of 2164	2736	CheatEngine75.tmp	106
PID 2736 wrote to memory of 2164	2736	CheatEngine75.tmp	106
PID 2736 wrote to memory of 2164	2736	CheatEngine75.tmp	106
PID 2736 wrote to memory of 4112	2736	CheatEngine75.tmp	108
PID 2736 wrote to memory of 4112	2736	CheatEngine75.tmp	108
PID 2736 wrote to memory of 4112	2736	CheatEngine75.tmp	108
PID 2736 wrote to memory of 4236	2736	CheatEngine75.tmp	109
PID 2736 wrote to memory of 4236	2736	CheatEngine75.tmp	109
PID 4112 wrote to memory of 808	4112	OperaSetup.exe	110
PID 4112 wrote to memory of 808	4112	OperaSetup.exe	110
PID 4112 wrote to memory of 808	4112	OperaSetup.exe	110
PID 808 wrote to memory of 1480	808	setup.exe	113
PID 808 wrote to memory of 1480	808	setup.exe	113
PID 808 wrote to memory of 1480	808	setup.exe	113
PID 2736 wrote to memory of 220	2736	CheatEngine75.tmp	111
PID 2736 wrote to memory of 220	2736	CheatEngine75.tmp	111
PID 2736 wrote to memory of 220	2736	CheatEngine75.tmp	111
PID 4236 wrote to memory of 3860	4236	prod2.exe	114
PID 4236 wrote to memory of 3860	4236	prod2.exe	114
PID 4236 wrote to memory of 3860	4236	prod2.exe	114
PID 808 wrote to memory of 812	808	setup.exe	115
PID 808 wrote to memory of 812	808	setup.exe	115
PID 808 wrote to memory of 812	808	setup.exe	115
PID 220 wrote to memory of 2936	220	CheatEngine75.exe	116
PID 220 wrote to memory of 2936	220	CheatEngine75.exe	116
PID 220 wrote to memory of 2936	220	CheatEngine75.exe	116
PID 808 wrote to memory of 2900	808	setup.exe	117
PID 808 wrote to memory of 2900	808	setup.exe	117
PID 808 wrote to memory of 2900	808	setup.exe	117
PID 3860 wrote to memory of 4592	3860	i0jncbrq.exe	118
PID 3860 wrote to memory of 4592	3860	i0jncbrq.exe	118
PID 2900 wrote to memory of 5028	2900	setup.exe	119
PID 2900 wrote to memory of 5028	2900	setup.exe	119
PID 2900 wrote to memory of 5028	2900	setup.exe	119
PID 2164 wrote to memory of 4244	2164	saBSI.exe	120
PID 2164 wrote to memory of 4244	2164	saBSI.exe	120
PID 2936 wrote to memory of 1324	2936	CheatEngine75.tmp	121
PID 2936 wrote to memory of 1324	2936	CheatEngine75.tmp	121
PID 4244 wrote to memory of 2332	4244	installer.exe	123
PID 4244 wrote to memory of 2332	4244	installer.exe	123
PID 1324 wrote to memory of 4784	1324	net.exe	124
PID 1324 wrote to memory of 4784	1324	net.exe	124
PID 2936 wrote to memory of 3928	2936	CheatEngine75.tmp	125
PID 2936 wrote to memory of 3928	2936	CheatEngine75.tmp	125
PID 3928 wrote to memory of 4088	3928	net.exe	127
PID 3928 wrote to memory of 4088	3928	net.exe	127
PID 2936 wrote to memory of 4264	2936	CheatEngine75.tmp	128
PID 2936 wrote to memory of 4264	2936	CheatEngine75.tmp	128
PID 2936 wrote to memory of 624	2936	CheatEngine75.tmp	130
PID 2936 wrote to memory of 624	2936	CheatEngine75.tmp	130
PID 4592 wrote to memory of 4384	4592	UnifiedStub-installer.exe	132
PID 4592 wrote to memory of 4384	4592	UnifiedStub-installer.exe	132
PID 2936 wrote to memory of 1160	2936	CheatEngine75.tmp	135
PID 2936 wrote to memory of 1160	2936	CheatEngine75.tmp	135
PID 2936 wrote to memory of 3652	2936	CheatEngine75.tmp	137
PID 2936 wrote to memory of 3652	2936	CheatEngine75.tmp	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FiveMHackV2.exe
"C:\Users\Admin\AppData\Local\Temp\FiveMHackV2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\is-O8LU3.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-O8LU3.tmp\CheatEngine75.tmp" /SL5="$302B4,2335682,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\saBSI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Program Files\McAfee\Temp1529572394\installer.exe
        
        "C:\Program Files\McAfee\Temp1529572394\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Modifies system certificate store
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod1_extract\OperaSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod1_extract\OperaSetup.exe" --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe --silent --allusers=0 --otd=utm.medium:apb,utm.source:ais,utm.campaign:opera_new_a --server-tracking-blob=YjZjOTM4OTJiZGUxNDI1MzJkMGJmZmU5YWZlMDY3MTM2MmY4ZDNlOWIzYmQ1MTBlMDkyODhmNWU1ZmU1ZWYwYzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInRpbWVzdGFtcCI6IjE3Mzc0NTcyMTMuMTkxNSIsInVzZXJhZ2VudCI6InB5dGhvbi1yZXF1ZXN0cy8yLjMyLjMiLCJ1dG0iOnt9LCJ1dWlkIjoiZmQ1OTA4ZGUtOTcyZC00NTVlLWFjNzEtNDYzOWQxYzFlOWRlIn0=
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.35 --initial-client-data=0x320,0x324,0x328,0x2fc,0x32c,0x7225cf0c,0x7225cf18,0x7225cf24
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=808 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20250124230340" --session-guid=945283e7-f696-4da1-b631-c4738b9d69c6 --server-tracking-blob="ZGU0ZTRkODkxZDNjN2QwNDRlODFmNTg5YzMxOTQzZDlkOGViMTRmYTUyYmE5YTRlNzdjOTk2MmZhNzc4NTdiNzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTczNzQ1NzIxMy4xOTE1IiwidXNlcmFnZW50IjoicHl0aG9uLXJlcXVlc3RzLzIuMzIuMyIsInV0bSI6eyJjYW1wYWlnbiI6Im9wZXJhX25ld19hIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiYWlzIn0sInV1aWQiOiJmZDU5MDhkZS05NzJkLTQ1NWUtYWM3MS00NjM5ZDFjMWU5ZGUifQ== " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5C05000000000000
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.35 --initial-client-data=0x32c,0x330,0x334,0x2fc,0x338,0x7116cf0c,0x7116cf18,0x7116cf24
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\Assistant_116.0.5366.21_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.21 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x250ac4,0x250ad0,0x250adc
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod2.exe" -ip:"dui=896de533-e5fb-4eb9-8f2b-d363f3584dc5&dit=20250124230257&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true" -vp:"dui=896de533-e5fb-4eb9-8f2b-d363f3584dc5&dit=20250124230257&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&oip=26&ptl=7&dta=true" -dp:"dui=896de533-e5fb-4eb9-8f2b-d363f3584dc5&dit=20250124230257&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100" -i -v -d -se=true
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\i0jncbrq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\i0jncbrq.exe" /silent
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        8⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        8⤵
        Adds Run key to start application
        
        PID:6124
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        9⤵
        Checks processor information in registry
        
        PID:6376
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        10⤵
        
        PID:6484
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        8⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:6760
        
        C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i
        8⤵
        Executes dropped EXE
        
        PID:7896
        
        C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:8028
        
        C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
        
        "C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe" -i
        8⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe" -i -i
        8⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
        
        "C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe" -i -i
        8⤵
        Executes dropped EXE
        
        PID:6940
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\DNS\rsDwf.inf
        8⤵
        Adds Run key to start application
        
        PID:8644
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        9⤵
        Checks processor information in registry
        
        PID:8968
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        10⤵
        
        PID:6928
        
        C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe" -i
        8⤵
        Executes dropped EXE
        
        PID:6760
        
        C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe" -service install
        8⤵
        
        PID:5216
        
        C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
        
        "C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe" -i
        8⤵
        Drops file in Program Files directory
        
        PID:3920
    - - C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\CheatEngine75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\is-JTMOE.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JTMOE.tmp\CheatEngine75.tmp" /SL5="$301D8,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAntic
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        8⤵
        
        PID:4784
        
        C:\Windows\SYSTEM32\net.exe
        
        "net" stop BadlionAnticheat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        8⤵
        
        PID:4088
        
        C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAntic
        7⤵
        Launches sc.exe
        
        PID:4264
        
        C:\Windows\SYSTEM32\sc.exe
        
        "sc" delete BadlionAnticheat
        7⤵
        Launches sc.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\is-ENL4O.tmp\_isetup\_setup64.tmp
        
        helper 105 0x46C
        7⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:3652
        
        C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:6032
    - - C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
        
        "C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6376
      - C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
        
        "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6680
        
        C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe
        
        "C:\Program Files\Cheat Engine 7.5\Tutorial-x86_64.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:8056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cheatengine.org/tutorial.php?tutorial=4
        8⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbbd5646f8,0x7ffbbd564708,0x7ffbbd564718
        9⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        9⤵
        
        PID:544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        9⤵
        
        PID:8296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        9⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        9⤵
        
        PID:5740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        9⤵
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
        9⤵
        
        PID:9156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 /prefetch:8
        9⤵
        
        PID:10060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
        9⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
        9⤵
        
        PID:8728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
        9⤵
        
        PID:9264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6064 /prefetch:8
        9⤵
        
        PID:10004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6080 /prefetch:8
        9⤵
        
        PID:1988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
        9⤵
        
        PID:4740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 /prefetch:8
        9⤵
        
        PID:10144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6180 /prefetch:8
        9⤵
        
        PID:9328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:1
        9⤵
        
        PID:4636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
        9⤵
        
        PID:1936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
        9⤵
        
        PID:7124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4230004572986630593,5571731577904628550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        9⤵
        
        PID:9840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cheatengine.org/tutorial.php?tutorial=4
        8⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbd5646f8,0x7ffbbd564708,0x7ffbbd564718
        9⤵
        
        PID:9048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6334356728555832006,17712141356271957894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
        9⤵
        
        PID:8636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,6334356728555832006,17712141356271957894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        9⤵
        
        PID:8676
        
        C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe
        
        "C:\Program Files\Cheat Engine 7.5\gtutorial-x86_64.exe"
        8⤵
        
        PID:7220
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Client.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\Windows Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Services.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:6140
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Services.exe" "Windows Services.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6032
  - - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:6228
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Defender.exe" "Windows Defender.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Rename_Z60IHLDjO6.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Rename_Z60IHLDjO6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4148

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5540
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:100
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:6876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )
    3⤵
    PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:7040

C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe
"C:\Program Files\Cheat Engine 7.5\Cheat Engine.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6300
- C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe
  "C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64-SSE4-AVX2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5912

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6436

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:7980

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7584
- \??\c:\program files\reasonlabs\epp\rsHelper.exe
  "c:\program files\reasonlabs\epp\rsHelper.exe"
  2⤵
  - Executes dropped EXE
  PID:7484
- \??\c:\program files\reasonlabs\EPP\ui\EPP.exe
  "c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
  2⤵
  - Executes dropped EXE
  PID:7332
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2984
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,14156199539217404964,9032360029306484917,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1720 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5008
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --field-trial-handle=2204,i,14156199539217404964,9032360029306484917,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7296
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2408,i,14156199539217404964,9032360029306484917,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "sc.exe query state= all"
      4⤵
      PID:9520
    - - C:\Windows\system32\sc.exe
        
        sc.exe query state= all
        5⤵
        Launches sc.exe
        
        PID:10012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "sc.exe query state= all"
      4⤵
      PID:10044
    - - C:\Windows\system32\sc.exe
        
        sc.exe query state= all
        5⤵
        Launches sc.exe
        
        PID:10176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "sc.exe query "rsEngineSvc""
      4⤵
      PID:10216
    - - C:\Windows\system32\sc.exe
        
        sc.exe query "rsEngineSvc"
        5⤵
        Launches sc.exe
        
        PID:9016
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 7584 -s 5056
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1456

C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe
"C:\Program Files\ReasonLabs\EDR\rsEDRSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks system information in the registry
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNClientSvc.exe"
1⤵
- Executes dropped EXE
PID:3336

C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe
"C:\Program Files\ReasonLabs\VPN\rsVPNSvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7472
- \??\c:\program files\reasonlabs\VPN\ui\VPN.exe
  "c:\program files\reasonlabs\VPN\ui\VPN.exe" --minimized --focused --first-run
  2⤵
  - Executes dropped EXE
  PID:6736
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6280
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2268,i,18043815151450582848,15209955192815910702,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6048
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --field-trial-handle=2580,i,18043815151450582848,15209955192815910702,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1620
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2852,i,18043815151450582848,15209955192815910702,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6520
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN" --app-user-model-id=com.reasonlabs.vpn --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=4016,i,18043815151450582848,15209955192815910702,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:7560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:7392

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 7584 -i 7584 -h 428 -j 424 -s 404 -d 7164
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7880

C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSClientSvc.exe"
1⤵
- Executes dropped EXE
PID:8284

C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSResolver.exe"
1⤵
- Loads dropped DLL
PID:7284

C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe
"C:\Program Files\ReasonLabs\DNS\rsDNSSvc.exe"
1⤵
- Loads dropped DLL
PID:8376
- \??\c:\program files\reasonlabs\DNS\ui\DNS.exe
  "c:\program files\reasonlabs\DNS\ui\DNS.exe" --minimized --focused --first-run
  2⤵
  PID:7532
- - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
    "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" "c:\program files\reasonlabs\DNS\ui\app.asar" --engine-path="c:\program files\reasonlabs\DNS" --minimized --focused --first-run
    3⤵
    - Checks computer location settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5212
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,3624205615320569043,7112066837089046322,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1756 /prefetch:2
      4⤵
      PID:8424
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --field-trial-handle=2180,i,3624205615320569043,7112066837089046322,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:8292
  - - C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe
      "C:\Program Files\ReasonLabs\Common\Client\v1.6.0\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS" --app-user-model-id=com.reasonlabs.dns --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2316,i,3624205615320569043,7112066837089046322,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2304 /prefetch:1
      4⤵
      Checks computer location settings
      PID:8196

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Modifies data under HKEY_USERS
PID:7512
- C:\program files\reasonlabs\epp\rsLitmus.A.exe
  "C:\program files\reasonlabs\epp\rsLitmus.A.exe"
  2⤵
  PID:8640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:9996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Cheat Engine 7.5\badassets\scoreboard.png

Filesize
5KB

MD5
5cff22e5655d267b559261c37a423871

SHA1
b60ae22dfd7843dd1522663a3f46b3e505744b0f

SHA256
a8d8227b8e97a713e0f1f5db5286b3db786b7148c1c8eb3d4bbfe683dc940db9

SHA512
e00f5b4a7fa1989382df800d168871530917fcd99efcfe4418ef1b7e8473caea015f0b252cac6a982be93b5d873f4e9acdb460c8e03ae1c6eea9c37f84105e50

Download Submit
C:\Program Files\McAfee\Temp1529572394\analyticsmanager.cab

Filesize
1.8MB

MD5
1f5c555b55267455d0d913e5bdaeeba8

SHA1
be2e82e47a0eafefd71b5529cc38af67273d022f

SHA256
ae5f0384e1a1cfa7fe6adf477e2464eddad789ab6a334fefd8949f5b48ae098e

SHA512
85dc840c9dc4c4fe56f5a5f236f5d797248a079a1a0ffe6e28558b35e592197fd6db73996ff5d2c46d5c09852768f563792653cde1b2e215f401e4c545cc4f5a

Download Submit
C:\Program Files\McAfee\Temp1529572394\analyticstelemetry.cab

Filesize
51KB

MD5
ef6824f9280a5d459867a9702bd11fcb

SHA1
3cabb75a2e4c01e9e10d3b4c53359920e2cba71a

SHA256
d1fc31f36a943837c447eee2715d2c483c513fc80fef330d80ecfab3c0937f01

SHA512
741dbff15030b594f65e8520686819546d309a3833949b21fc6af899f6d6fdc04a02331f7d45470d0474ea80dbe544ee16bf0b879b965d64d616eaf7204b181e

Download Submit
C:\Program Files\McAfee\Temp1529572394\browserhost.cab

Filesize
1.3MB

MD5
22d3a089fb034388a4a1adee5044fca0

SHA1
0bd93bd2a6539d729736e6c8177db26c7dec527d

SHA256
8a17dd2a96133fffc8bd42be50caed6c019231d9cb7bb4e4c6a40d03ac0cd43f

SHA512
486c686e03e600e4ee8e90bddbe228acbf32ac651cf852f89f12341e19294a7bb76d25bc8cc78ccda948aabab5eca58139efe00f8a4f64d4fa1393a716be6c05

Download Submit
C:\Program Files\McAfee\Temp1529572394\browserplugin.cab

Filesize
4.8MB

MD5
68faaf3ebfeacaf001acc883aa172f70

SHA1
e3afa8f553ff830480c2fb9c8341328bad49a864

SHA256
194189fa2578ebda8dfcae80428017511e9712048059d743ee7d628ed639ef43

SHA512
c20a3a507a9ca16b95461ff25e0df7079fb4a79de2a5af53eef7572825f16afbe9fcc19aedcf91eae24e2ee0b484d9c1706076c0b69ff26db4901b2a08b26d50

Download Submit
C:\Program Files\McAfee\Temp1529572394\installer.exe

Filesize
2.9MB

MD5
44013120e463d5055fb87b4727d25dd5

SHA1
df06ff88068ef541c91fcf5bf351a67323ef65f4

SHA256
92a8c18260fdaf4a5dfe94e898276163bfdb4747fface24f841b2cae874883ab

SHA512
e93b9eb046a0c2e22b1a0a4020450fdc0af5f05c4bd3a972d2317ba3a5bf295cc64a91ca23fcea0a24eb9107c5e42c0b393c390354cc2d765b739b4da9442548

Download Submit
C:\Program Files\McAfee\Temp1529572394\l10n.cab

Filesize
263KB

MD5
d67032cc8af5a1eb7a0dd323d929808d

SHA1
b0859872b3ab71817b020a970ce27734ac1acd7c

SHA256
0b202343df351932b9644aac9cfb6168eedfef72eba53383faad32b0c952d4a3

SHA512
79d169e390c1b251a6524bda6b3c224f93f0169c1e1b59cce3f90cae9972dd1dd95f47bc999ece21f1b8301753c1fccf7fcfb94da5a702ecb2544be9c739c844

Download Submit
C:\Program Files\McAfee\Temp1529572394\logicmodule.cab

Filesize
1.5MB

MD5
4c03227c7bd2b20bda1a51a3a33a1e1b

SHA1
c5b56e743d9f676c57167e339c1b0b5f4ab8b48d

SHA256
8ffdd35cd5e16e05e212c677a1c1ee2d81edf46992ee57ea2ec771c5f3480c1b

SHA512
cab7702e591ce4d30d67b940a86871ac35af29f2e4b2f0c044a4e27706efee416ce41c44a1a8b72f819925e9459922072d068cae0dea8d127e787ba97568aeae

Download Submit
C:\Program Files\McAfee\Temp1529572394\logicscripts.cab

Filesize
53KB

MD5
da7dc39883bdad30fa3e4d33bd4fe6f8

SHA1
7d8e35b6723535b1950f8f30e9e12f637d34ad13

SHA256
8a1a9bcbdf953ae33104e0296bcf093d123fcd0e98d57d26fa4c3d855624fb31

SHA512
2d0e371d5abe8cc527f6a78ca8dd0f452004dc0287b1783aad638cac30c46793f34dc40c1754fea2254000197e5c2b522c9ed0f5052b95e32f38a73a9750f1cb

Download Submit
C:\Program Files\McAfee\Temp1529572394\mfw-mwb.cab

Filesize
20KB

MD5
43a13497fffd820fc04ebac096b0b79f

SHA1
eb276c91986d14c55ae0df1ab0582b5ccd801913

SHA256
6355433e682a1505b073fa2212f4150af127dbf23aa8721e061e0045dcbc9395

SHA512
dd72b7b5432388c22ae4eb914d062b68b067f2986297210e6a2e172f0c06861cd7598efb9bf8e00efabbf76dd999dafe3efe645e61700046a488ce9172377a7b

Download Submit
C:\Program Files\McAfee\Temp1529572394\mfw-nps.cab

Filesize
22KB

MD5
ed16415dee03afbbadd1a24d0adc825d

SHA1
f2df8736f72ec1d44e7d6fa7695ba9f7ff059a87

SHA256
5e791887aab437126542ea35b5a41ec1014c813cbfdb21308adc3c0d4ed0ec10

SHA512
3ec49f745fd5a39a0b15b753be184da68cd421f330bbd653e8a0c737380f547d67fa5ee8731438b81bd0d584232e193baaa8c4ad1a3723031d710cdd03e24263

Download Submit
C:\Program Files\McAfee\Temp1529572394\mfw-webadvisor.cab

Filesize
770KB

MD5
d1a10d32486d7dc2f109104a25d0536d

SHA1
ca3e497be648c53fc84e1c5901cf7a24fb06177b

SHA256
a66e27cb7b22b982147240cf385c62552b89118303e05b37d8af6d97ffe0c2e8

SHA512
11038cf0dd8f1a1796755f2e08aa5ed24e9db1d80212bdf47835b12969cf889d5dafe59669b7b091462777f0507d14cfcc782304d665118b90b03993a2a8890b

Download Submit
C:\Program Files\McAfee\Temp1529572394\mfw.cab

Filesize
299KB

MD5
417e0e13ee88518d96e95973abce680b

SHA1
fef0446d0a9cbc7c34437027aa8c6b230ad27e69

SHA256
bf2711b54c67a8aa62e62e07faf648c6783d0f876c0fd5150d935b996708bf45

SHA512
8dfc42aea691a1f86ca7e071621de801badcb2fee332512c5481cfc63c0874d0475ef3151956d145272d89aa072e2e5fc85a418ce4d9bff71f0ebdc95a21b936

Download Submit
C:\Program Files\McAfee\Temp1529572394\resourcedll.cab

Filesize
37KB

MD5
f2b3ee696ea8a2d8e01e90e092ff8447

SHA1
48fd2b386ae4383add26bafb62ce93a7189f54e9

SHA256
8d285e0950843ce6a5bd8323c9258bfc59b3732a7ee8c5ce88cc57bf9196dbaa

SHA512
1f5c4d95f17ff3a673cb817de62614d39cb677a6c9895d8f16bb2dcebfcca4f693b83663432f0bf191f32abedf10093434bbf5c62d74b516da7828dc4138c7a0

Download Submit
C:\Program Files\McAfee\Temp1529572394\servicehost.cab

Filesize
328KB

MD5
88ab59e015d9eed7779b47a150029052

SHA1
c2bf1e8a2a3adc77075c55c399788aaa62428804

SHA256
6a8b7ae7908c650adbac9073deecb2fae2f3e2bab7101f1f0497553ed92efd4d

SHA512
8143dc3f9bdb2a8b438226b3698a4ab9f9594aa0c51a03fd8e87da8c13205bdfd0ed18f74d00af6962839900057e603ff29b3d2beb2611dc2b99f51377c027b5

Download Submit
C:\Program Files\McAfee\Temp1529572394\settingmanager.cab

Filesize
784KB

MD5
9c4da44197b79d2026e92181f11423d1

SHA1
1122805c0e5b7a46c56eb778176107b3951fc82f

SHA256
ddcfd78cb009aa7cefdbc120ff305ee05c003a9ea45c6b37d007c9b4a7d76123

SHA512
1bd9e8c6675607dafe2777b4d0a073f67572b7c569054cc4f1f2fe20b84c009d0855968afe6021bceaa459f1c2aa9744dc10d0fc7ea60abe3e329a9329ffd86e

Download Submit
C:\Program Files\McAfee\Temp1529572394\taskmanager.cab

Filesize
3.0MB

MD5
a24e566741916f0af9a3ffd1d6199d33

SHA1
83004a95168fc64b0f55c7223b9dabf7612ce5a8

SHA256
81efb92642e3455e9743850e2aca79b39290f45efcfa66ad23831e109487fe53

SHA512
94a88eb8e92e24a4c91d89179f3a30b32f8def01110070639f3430572711657688727c5bcb7f1b05841a3eba9b084269084067917c91866c346fc93cf433f043

Download Submit
C:\Program Files\McAfee\Temp1529572394\uihost.cab

Filesize
323KB

MD5
3f2f97b361e764dfa4da31f00d5d99a5

SHA1
f68e358ed10b11f43ac6876ae416c6194ffe0844

SHA256
188709ae232d96b736db9f52fae8495f916756e86ecf7feb693108eee368d5b9

SHA512
2084689a5df9fa1a8b5dbf425e479b29d997abde70a7d98a5b973a6276a2fa251b66b528349890a468f77e0fa09e6dda28da14bb20c4e767f5b23847843ec2ab

Download Submit
C:\Program Files\McAfee\Temp1529572394\uimanager.cab

Filesize
1.8MB

MD5
f4bbe841ed2233ada4b14327dada4a99

SHA1
1e88dd35f79d483cedfd75a0ba6c49509d30f3f7

SHA256
324d5ad4fdab999ab58d27ed5789c2a807dd0347e20da7e6ce459c30922ca30d

SHA512
12f950d5133b9ccab6bcdbea8a9fc0b1a0be9b0efda7eb610f99e5eb0189a2043b2ffd60dece27e75b860201e9a5bab7597be6c1598ce60872649821139fef52

Download Submit
C:\Program Files\McAfee\Temp1529572394\uninstaller.cab

Filesize
1.0MB

MD5
7bad69a2ef8e6c3315d88a669a06800f

SHA1
89a1f8025194dc18b31b336842c2904da3b86134

SHA256
ac1d3d21916b97d6842dac5135ed6883a59d236054ede8af5092e89bad1c570b

SHA512
3b2422640819e72606eb087152b397a725a8ed8a3fc84830d8e045a63d0840227d26c4c8bf4ca4fa652064a8cbc6b1be3ae5681d8eb0c7e7accc61f6bd9926b1

Download Submit
C:\Program Files\McAfee\Temp1529572394\updater.cab

Filesize
968KB

MD5
d7f10a5822744420c32bf874c01d70ac

SHA1
aece1c1b87fea2ee8ead1697ca56a5b84e9e49ca

SHA256
c8c2e0a8248d59e4966a0a0533fb1c68aaf4d64f664aa8b95f2e9209b0bbfb45

SHA512
c12e198577e0e582497208fbde4f1286d92bf505b2279a550172edee8c2347157b17629ad307efc7e08a05f2d4388b9f1b61fbd2adacab980366a274fe58a844

Download Submit
C:\Program Files\McAfee\Temp1529572394\webadvisor.cab

Filesize
11KB

MD5
c4aebe3ebf7d5a233cfefbb4ebcb445d

SHA1
daed48548d12f84613fbc893fea5c02b2989deb4

SHA256
935ea23927b1fa51fe0a0dc007dbd56e880272f500e703e9325a94fc41beb80f

SHA512
a7fa9200ff275c7817d6eadf716bc02f4e265c39c10835ebceeb11d6ab03981bb588dc8c00fbfee83ee8f59427d1852c1e6c97b826927c595f6d826e5997602a

Download Submit
C:\Program Files\McAfee\Temp1529572394\wssdep.cab

Filesize
573KB

MD5
6a36c1e4651ce0496a228a3abf175188

SHA1
325dc29d728df10a62a33c69ac60d599ccc4475f

SHA256
614eac3fa20caf24a4bade6c84c9192b60b888829fa61938e539cab70147f1c3

SHA512
52dceaf8b1bd957e62a51d5893e92a8d209ad13356f2e11a6b9ebaa83c1ff2d062055ce558abfb896a795845abbedf7ad591a1916518277e5e17d383ddefc52d

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
74KB

MD5
37546d8c276447178ba6846748df7ae1

SHA1
e9d1055fb6b175de650a9ac4d7dfdda9727c2d46

SHA256
10db360282cf0b4f3ba35ba1fa317bb6bc5d04aff1851d281b97f6ee96c5503d

SHA512
6d1b6b2df0549d930b78e50358daaf6def167ae2831abde9c6f78908fded1c30868096fe2269ebbfd6b5ccecfbb89262abd239fbae21515dfc5ef8e533fae225

Download Submit
C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
388B

MD5
df6dc5c215aee2c259668e6774dff775

SHA1
06c0f3642e8f03454522cbd7cc77d7f9859f58e9

SHA256
77ba975e26d4cd48d5ac697cbb69598e8ae3e073086d9bcb07dbacbd4227d2a7

SHA512
586b24eb0a9c7fc26204f5c03d28dff5ab80a4fb6e87af337d82c1bf88392c1819f2ee485ddd586e64eb17819a060374a16563dca237e5e6f64e11c42e1b4df2

Download Submit
C:\Program Files\ReasonLabs\DNS\rsDNSSvc.InstallLog

Filesize
633B

MD5
c80d4a697b5eb7632bc25265e35a4807

SHA1
9117401d6830908d82cbf154aa95976de0d31317

SHA256
afe1e50cc967c3bb284847a996181c22963c3c02db9559174e0a1e4ba503cce4

SHA512
8076b64e126d0a15f6cbde31cee3d6ebf570492e36a178fa581aaa50aa0c1e35f294fef135fa3a3462eedd6f1c4eaa49c373b98ee5a833e9f863fbe6495aa036

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
388B

MD5
1068bade1997666697dc1bd5b3481755

SHA1
4e530b9b09d01240d6800714640f45f8ec87a343

SHA256
3e9b9f8ed00c5197cb2c251eb0943013f58dca44e6219a1f9767d596b4aa2a51

SHA512
35dfd91771fd7930889ff466b45731404066c280c94494e1d51127cc60b342c638f333caa901429ad812e7ccee7530af15057e871ed5f1d3730454836337b329

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallLog

Filesize
633B

MD5
6895e7ce1a11e92604b53b2f6503564e

SHA1
6a69c00679d2afdaf56fe50d50d6036ccb1e570f

SHA256
3c609771f2c736a7ce540fec633886378426f30f0ef4b51c20b57d46e201f177

SHA512
314d74972ef00635edfc82406b4514d7806e26cec36da9b617036df0e0c2448a9250b0239af33129e11a9a49455aab00407619ba56ea808b4539549fd86715a2

Download Submit
C:\Program Files\ReasonLabs\EDR\rsEDRSvc.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog

Filesize
616B

MD5
8a0b93abf7961a386f153a4165e099f1

SHA1
388165bcf6100b6a6c69cc51693716116e4c4896

SHA256
e1eee4a919996c03ff2a0f0a3617e48bbcdf3c41c9535466de7a02fcdcae680a

SHA512
36972b5ffdde91754c3d2a336856f9bbe9f5bc7fded2420ae8f1ba66df905b0e189327eecc6eff9deb3df29c288dfb60aa16c8f9dbe501e449b92a67aaf5edac

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
338KB

MD5
57bdd4d54cb9a744255da5c549b46831

SHA1
21b5abaa27d558741940d9be7907870d61ef97d7

SHA256
0306b973f243a2f2e556dd9804db18abd77d6a761ef34e0e8bc010a452906554

SHA512
39fca92270445defe91a77c88041a2768f7c5a3d61736002ca0e72bd9b13d1e2e23ebe7f8a53e9b7e37852f980191b75369a3f1b2f1ee64b1adda90eab75aeef

Download Submit
C:\Program Files\ReasonLabs\EPP\Uninstall.exe

Filesize
316KB

MD5
667b2fa48ae25bcd62542cc10e9bb350

SHA1
530e51f92728a0ea9042b1b6198ccae31867f26e

SHA256
bd22c0369e317836ba565278e97cebc14fef39d2701b39b4c1f77a80881c4d55

SHA512
d630f961ff98909a01df691bef6943ba01110d69ac8fb1fd8cb9d3b0524d1dc7b32a24480e754ec0df32b9d73b6f18f31ce84692a96a49b3732c49af5e475621

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
96a3cd1cad2fce5a620039954795433a

SHA1
b824d9e71413d75d630714046305d8a5c481210b

SHA256
910364af32203240bda1a4843d5302dbd03b70a09ed4922751ca69709f671cb2

SHA512
4ff1ba08d7832712ee6975d0406e1fddf536d0f56ba3d1963652c29d9744155fd2305af79053efb0775db1630f245ae7397673079b0d41730266a19bc264be69

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
347KB

MD5
2abd904faf2f69d77442ea9dd9a30887

SHA1
b33d0a93d8bfe1490002af4d286dbb80617649b8

SHA256
6f396fa41b0fe61af9f1ecb2fd555ba8e06f36e154969fc9d424529cd2a6555e

SHA512
1feb1bd50173b0950532f1475d1fa12691cd392d65cd48b48cd728479bf0a1cf7d4d225ea5047c985431cbd057e305931fc82dfb3887bdd27423a03da5316994

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
13f791ce7aecfbe72efe7555f8fd127d

SHA1
55b47484951db2655eb58a1e1a7df11836471054

SHA256
93425ad57519eb95aae4b2cde73e302219d9dc76284135a64b2c659f8513f4a3

SHA512
0ccbf3ae970ebc65b6fda893a1930d85572ed1803b9418b48c7d3c6d74ff68f489cb75d32b6bca99ff985c48f655ea9160f3d84bc5a1fa3f5275340551fa1296

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngineSvc.InstallLog

Filesize
257B

MD5
2afb72ff4eb694325bc55e2b0b2d5592

SHA1
ba1d4f70eaa44ce0e1856b9b43487279286f76c9

SHA256
41fb029d215775c361d561b02c482c485cc8fd220e6b62762bff15fd5f3fb91e

SHA512
5b5179b5495195e9988e0b48767e8781812292c207f8ae0551167976c630398433e8cc04fdbf0a57ef6a256e95db8715a0b89104d3ca343173812b233f078b6e

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
370B

MD5
b2ec2559e28da042f6baa8d4c4822ad5

SHA1
3bda8d045c2f8a6daeb7b59bf52295d5107bf819

SHA256
115a74ccd1f7c937afe3de7fa926fe71868f435f8ab1e213e1306e8d8239eca3

SHA512
11f613205928b546cf06b5aa0702244dace554b6aca42c2a81dd026df38b360895f2895370a7f37d38f219fc0e79acf880762a3cfcb0321d1daa189dfecfbf01

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
73f35c0eaf3f35bb7560806159dda1ee

SHA1
258fdef4e3579f8214803ce570c0ba5bb2fad2ce

SHA256
5f3470cb8d4892a021f32c0d5c86f808abfc0ad7d21667ed438f6e30281f07f0

SHA512
2b2f85c6d3d72ae6bf3e00cca17d68d820c4ff83e029e1b3a483a886d217151f56150078ae6cffe72bc19d12869df70bf3d460e6aa3739e0ac08919792db312c

Download Submit
C:\Program Files\ReasonLabs\VPN\InstallerLib.dll

Filesize
300KB

MD5
1e93174e4cc1b39bf3ddad2557fe8158

SHA1
114bcd330725bd7dadc5d8e66c8a1b27d7f19038

SHA256
cc8e3961cddd038a9579c553f0f8e3dcefe4b8538fd1178b36760d4de4967378

SHA512
5a394c025faf6af491a79c506425b147463070245a7149755c0d9763c7a202beffd1f37b65e5da80f31c8f0c1008f22c216c356f495aaa5ccb0e7afa4f169165

Download Submit
C:\Program Files\ReasonLabs\VPN\Uninstall.exe

Filesize
189KB

MD5
65fd6e8daf26db729ae308c2e632198c

SHA1
b979880834004c1ed2457f6ad03b53afdd2f59e9

SHA256
0d17bfe93b1e87b4677dd84e50e81109e6c922aa42acc46e611f5ae25eb8ce25

SHA512
a0b119b9c13cd61bdc986be7409e0dfb756bd721954a75feea174ca416d7fe6645a00a9edb04fa5afdc8cb17a2d4fe1b4c8ef755daa790b13a42a39206dae60b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.Core.dll

Filesize
343KB

MD5
ddf9ee9a360d07b60fbc4b851feb65a3

SHA1
1cf91bd007e2f01dbad4a7ead883d7f46df28c87

SHA256
141dd5cda8b1c4be1c2509bc364ad92dd8970399751482a77d8d27f97f874d4f

SHA512
30bff100a8857aed87ef21e2a885c44483576b98b96ea102fb7fdbd2d850acb725def3ed69f7743a5544a91f349e3b4c210c716aba1ed05f9b524a757925228b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsEngine.config

Filesize
4KB

MD5
123b26b22fe79688a04bf3967dd57de1

SHA1
1231087136e59f4213e291ce3096eb9eab49e41e

SHA256
492dfe628ac1710f4c5c5315ade8e0325a59474ce8522ae147ab587eb001a13f

SHA512
2b26c9a20d3811f4226e29f3a0ccb584712b6d4c5b57f9720f4378b1c821f942b93c7a6508b71e6977caa0535564aac7d47124d3e63a5bf35611a2a5cd55db83

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
248B

MD5
5f2d345efb0c3d39c0fde00cf8c78b55

SHA1
12acf8cc19178ce63ac8628d07c4ff4046b2264c

SHA256
bf5f767443e238cf7c314eae04b4466fb7e19601780791dd649b960765432e97

SHA512
d44b5f9859f4f34123f376254c7ad3ba8e0716973d340d0826520b6f5d391e0b4d2773cc165ef82c385c3922d8e56d2599a75e5dc2b92c10dad9d970dce2a18b

Download Submit
C:\Program Files\ReasonLabs\VPN\rsVPNSvc.InstallLog

Filesize
633B

MD5
db3e60d6fe6416cd77607c8b156de86d

SHA1
47a2051fda09c6df7c393d1a13ee4804c7cf2477

SHA256
d6cafeaaf75a3d2742cd28f8fc7045f2a703823cdc7acb116fa6df68361efccd

SHA512
aec90d563d8f54ac1dbb9e629a63d65f9df91eadc741e78ba22591ca3f47b7a5ff5a105af584d3a644280ff95074a066781e6a86e3eb7b7507a5532801eb52ee

Download Submit
C:\Program Files\ReasonLabs\VPN\ui\VPN.exe

Filesize
431KB

MD5
2dfdd1c062fc2bec441a56a0a7458c4f

SHA1
3d3af010d6ec91d35b13f749714ffbd158ecfbb3

SHA256
acd07d3ec7a03e961eeab6a44ba499af9d879a321d59479e86e9a5a2496cf73b

SHA512
9cc835ca2c7e15dd0104f9a6c34c3257b043d2a15dea4a0eebc9b017fbc4950d9394803b374ec0855a9d2789bac46b1b813581bca9a66db62ec849c98beb9633

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
f6543796412d1466f1f7f1ba5aae02ee

SHA1
e42de6508a7de2e150c8f836c4fed931c790c4ac

SHA256
8985743f024f42292abda53eda04e89f6b5e4c127067e392266f991f037e62d7

SHA512
8adde94198e2bdcb51e6cd5e215885d0973e6fd3e3bd641e1026a53a206852b15b4c7dfd40f4a1137480be8710bd74b1eb4fc6e02c8b1a6bff30fb75bd9795c6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
0428825a8f48ceb35f6b4b9ba42d7c6c

SHA1
666e30e8d2355bcad2b6905b362e1dff9bee182d

SHA256
a2c4d4478119e756ae6f2b4b58295ba9ee7c3ca48ba1e1bb66edf84eea4a3ae5

SHA512
345f045476fedbcc412adc1dfecbeaae7b8b3fcbff8d240e8b909e1c417c27bd5c63573e7c7ce3a064c722559e1bbb7aae32ff595a167c3077a3cf29098e0334

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
567a31eb5a5b3d5a62590c881908dbcd

SHA1
5d977aa0346d72848939499be651871ad8dcae2e

SHA256
7fdb5d5c9f47e8a13a1d6cfe116529d3f5a8f8f7eef4a57c8097510b2769370f

SHA512
dad71de0dbe56fa25d38866f4594d040644598346c75806663286a9a5e8ed850f03906a1851d3252978001b8c9acd5eec176469ae1476b04fa93087db326d4a2

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
0ceba4f21d165d39b144a34c0c501d0d

SHA1
dcefec8aee976ee8f037ae29aeb49ea0db9d31ad

SHA256
496e246c800845a54f2681fc2ba5e0c65277da57bbda576e92167dd8158b3686

SHA512
346e4e2f72255e98a52469db10a0351512f9140abcca8d8528abb3997e1e125ad90ae0b361c6ff4f4712819b61923eaaaa31906e842ea0cadccec2bd11223fd4

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
14KB

MD5
de6b80cd5f690e4d96a6bfa136b369ff

SHA1
a59c39b4639de6eaf291057df1eacc5cc7321bad

SHA256
f1dc6919844406563d1c4ded53b053d04e22aa6c08c432fb45b227f98e1c1af9

SHA512
e38ee8d29308f006af52bbd6f1ae0a92938cfac9403d35cd49d015174a3b59711087eda8acb15526c6749da1ff39ec4c1e020aca58843700809dfdf7b9579a28

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
f0c13352c597a23e2c035545ca7fcafe

SHA1
1eb0bb87cbd7fcce5d4a4960ef2ba5cb72970604

SHA256
d5ebc2f0099a8dcf91ea0f9b7eb65e3364521cdbcd5dad284107e40558b52c09

SHA512
dc25e670104f0943dee0829ea2236ddbef6b44ab56407cb2baabc2b2331b87b93fa4be0941b7179570f3eb0a95e26031644c236c73fa060d5d6671bdf0af63c9

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat

Filesize
197KB

MD5
b050b90b40b7ee4b585d0c3c1f19617b

SHA1
5333a8b7ba47fb8cbffe8b029523dd48fd104b1c

SHA256
858ae1f313d21b5c77682abf20914338c95d601dad1699cceb7318311fca3676

SHA512
4b9efb3045a44047904e170bf67451a5b6cc16784a9e7720e81ac76acdeb2363a61ea41b3fba4351571e4620e3846a9ce9b55e530c121e2811ddb5275d49cd1c

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYF.dat.tmp

Filesize
5.4MB

MD5
f04f4966c7e48c9b31abe276cf69fb0b

SHA1
fa49ba218dd2e3c1b7f2e82996895d968ee5e7ae

SHA256
53996b97e78c61db51ce4cfd7e07e6a2a618c1418c3c0d58fa5e7a0d441b9aaa

SHA512
7c8bb803cc4d71e659e7e142221be2aea421a6ef6907ff6df75ec18a6e086325478f79e67f1adcc9ce9fd96e913e2a306f5285bc8a7b47f24fb324fe07457547

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat

Filesize
131KB

MD5
8c9eae09192c0bbd53cf0bd9f4891b0c

SHA1
6dd2a82b985b82eb34c1b00af5213d6e9ecd0175

SHA256
d6aa2e414099fd7a3c083a478a0db12e314ff33cbae07564cedef5cec9e99628

SHA512
59cfc80a2017c2ca1b257662baea1012793bd554dac13e75e7caed0fea9c8a782584bbed970efd3fec196bd1dea7e0b004d6b53dc2874a969ff97617b407a18f

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp

Filesize
2.9MB

MD5
2a69f1e892a6be0114dfdc18aaae4462

SHA1
498899ee7240b21da358d9543f5c4df4c58a2c0d

SHA256
b667f411a38e36cebd06d7ef71fdc5a343c181d310e3af26a039f2106d134464

SHA512
021cc359ba4c59ec6b0ca1ea9394cfe4ce5e5ec0ba963171d07cdc281923fb5b026704eeab8453824854d11b758ac635826eccfa5bb1b4c7b079ad88ab38b346

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat

Filesize
29KB

MD5
298385f96578d6dfa04bc40cde21e1be

SHA1
ee7268b3d9c6f149c83c471948ed37c1c5bc46ab

SHA256
998e75d968f22b63f5c356d4b13036b3d497b223f57b48ca553ffa9f25464941

SHA512
e180987b311f7e72ff00b2f4520e848116e72fd5ea2cedf5af10cc78d9d7f2813dbd15704c88ce0f009c9959b2d1142a6bf4e2fba1b9c227c11724397d1e15ee

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYS.dat.tmp

Filesize
592KB

MD5
8b314905a6a3aa1927f801fd41622e23

SHA1
0e8f9580d916540bda59e0dceb719b26a8055ab8

SHA256
88dfaf386514c73356a2b92c35e41261cd7fe9aa37f0257bb39701c11ae64c99

SHA512
45450ae3f4a906c509998839704efdec8557933a24e4acaddef5a1e593eaf6f99cbfc2f85fb58ff2669d0c20362bb8345f091a43953e9a8a65ddcf1b5d4a7b8e

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYSS.dat

Filesize
122KB

MD5
3d5a092f97ca28e990483f643d613891

SHA1
b7bc1c83bcfa801cbc60b597afe26172bd3bcd3e

SHA256
a7cf36e18a7c07e4390c7b4b5e163fb642442b07dd491535eca890f7b040ccdc

SHA512
6cdce0186a875acf5dcc6838477ef60396cb19cb0164d0884bab8456960c167a93043ff4d0d32b7d0afe8d83219b0fccf8e8c966266ae0a3fbc17e4cfb3c2e82

Download Submit
C:\ProgramData\ReasonLabs\EPP\SignaturesYSS.dat.tmp

Filesize
2.8MB

MD5
55cb5ecbfd4f28299765b8d8994677cc

SHA1
04ccb36d458d9df9d5804440d0a6e9d8ca706289

SHA256
af48e00779cfa338dc3d23f0aa8da1551f4493663d9bb8edb081021979b37942

SHA512
6e82cec4d6ac962078b4bbd1d5222dc7b96da2c3a8480fcbfc0492d329c46bde07cfdab812138fad758a77ef8d913022c383f161827d29f7a019c24154a583e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
552B

MD5
fa987942c594d9fd75c1566027efa819

SHA1
4e063ff844524d447e6e9f21a4c262746a915ffe

SHA256
8ba4b0e2e7eaaa1468a874eae86e2819f5a37dc1d0531074d0ec7e970c2375fc

SHA512
bdf6e5079310771185bd4e0b152a2a8141a3283c5e7a3cfe1b155f24a8ce4bbf412f8217444fe44af365d37b3978fe3fbaf88ebed1dc609273aaf492d19e49ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c957ea31ee45737640ff30e837c1f253

SHA1
565cba67fc07f5a356055e26ed2e6d5edd2ce03a

SHA256
c46d2a548cfc665c409f51413a5e1e09bff4f7ee89e5847e277068acde69efb6

SHA512
988b81c98b6b355e88e58686ae3fc8e437f79c933da918f6521dd22d955947afd1f8f565ab1e097422b74a00388216e91771adffcf5fdd5add118dd502e2ed3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c44006af989c6e537c3ca15e4ef5921

SHA1
510c4968da719f4c46d22c71d284b135eebc16e1

SHA256
697321c167eddc5772f97385a48aaeb90ddf02e34a7c4dd889eaee1e4bcd13db

SHA512
eec89a8dcd7c431006ce1dcc19fb27e7512c788019d2c23a73f3bec577e1380a4ec4c6b2906faf7df4e83c8374da04d91f1b8ec7f53bdfe2f06edef058b2226b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f61b928c8c12431ba22c094cc0de1971

SHA1
bb0ebbf463deb8232d8c7460b92258e1d0e00a85

SHA256
95867594af726728bb0e40ee2701bf5f2c133a7c4f3f1805c48666a0cc314a1a

SHA512
fec8445ccd769e1903e381e5014d19085d348fe4d3e53f5627f3918dd7dc04f40128b82222a1e5c3da6145683d518d41d86d8d49eebd5b7526c015da9189dc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
27KB

MD5
3faac463bf71024cf748852751d59587

SHA1
a6a3e49f5a59c399c4bd83ae53d037df664e0715

SHA256
82d00911bafe06ec9e34314596b15aa3d7aff2738468a84fd1e7391ac78c3d79

SHA512
b43d810c30ffdbbc25b41e2af4bbb421a3158bb74340c0a1a60eb8e24438ea164a136fff25c7d2f0d7b9d658b6e06e071db96eede458cd8253cdabdcb8a29120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
99B

MD5
b30cabb7f48e54067f96807bb39f83c6

SHA1
9cad0cc9f50c3037576bb8242d1f33ccdad10dd3

SHA256
28a164dcbdb40ffae4af7f90d5838038257c73e0f305cd8d8fceebeac605f1db

SHA512
c63a06aaf9ce923a52f665d5ddc1946c294fb261b2ef0dac97077beb3e8eb271984c6015dfb0cf1a62eb29c39af80895c2e4e741b9916460bc426467119665aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
35B

MD5
343859b4ad03856a60d076c8cd8f22c3

SHA1
7954a27de3329b4c5eefd4bdcb8450823881aad6

SHA256
8c79b653c087618aa7395d5e75198da7d3b04c08654c39e56b1027f9ef269c2f

SHA512
58014a4e7f2b4b0d446fae3570196b8fb95d0d1b70bdab0dd34a74d6c62cd8d7ca494a486f19c1a829988a3af83a08d401f18d1769ce1799a02ee09807234254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
99B

MD5
bc3f8f9d192bf9c9c8abeef0fa7c56e6

SHA1
cc289c451537b4614ca4307188633d2463ed3dd8

SHA256
180b7f0ace95428ed7452960028ea53c14943caa7bf912ff49c59e225de6f27e

SHA512
edbc5fca840ac0ad166828d2d64d02f7e293243142bc33889cd32a61131671da419cf9126673f12bf37e9bc86629afc8d646a15f27e6f00a07d25ad268327ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eba2c07e67378603d4061d9aab259bff

SHA1
98c3979d4400cc86aa3d2a1484e3be5c1712e83a

SHA256
9453442868f35c1326ec8e0a44b38b19aa6dea6dd25aa5e7604ff6d7138d5f9d

SHA512
7fe60553075bc15dbb0613aa3c261f7073a6a457f0a236d1b75774b519d9e2fc23bcb2b29090449acfcc0c59c596a43f7e0e28097a896aa7b7184d2a6effb941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cdc5465354cf36fc03b01bdf754f49b5

SHA1
eecd8e23a0df014b1c3ef69fe4cd9642106f3285

SHA256
42762a776876eb1122a4d4f207042b0d467c91e919d3580007b6dd0d21b317b5

SHA512
fb24a3107309e6eb79611d8d4e32c00db9997e58df18ba7e55bf84a4b9aa5786ce815d721f2d215ce74e23349a57e34606f0615fb738aaf092f013cd305cf7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202501242303401\additional_file0.tmp

Filesize
2.4MB

MD5
f197f4d2d50205236436fbbcf02e79b7

SHA1
e83fad0c2b93d023c78aed539709bebbeaf1c2f0

SHA256
caa17367382012f5bd23d519323470abdca96fc6e9ef2a89608bb92dd1c314c5

SHA512
fe332b56a021d029e443ef84b804f808fb469377e07527d875ce6ea018ade84ffe7de128f43094fcd8c6abcacfbae9ab886d3813afbc18edc637aaba49068e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS010F5488\setup.exe

Filesize
5.5MB

MD5
87f7ed90616d28b28a59f29b18a1f51c

SHA1
630db6efa8215bd982884edd6b24d623d4d23209

SHA256
55a20ef1ca035dd9be08c04ae88dde7b1ce4be664d3dcb63fb1b3b0d43b4fc6f

SHA512
0fdcee568ae27185f02cf2f70ce3f69ff25db238fe157e80004b8f8eeed8f0a7dcb19d35476f54619939b8bf29abad2acc7336f727006979d447c793808281cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\50c7a8c3-1933-4387-92d2-d2aa546b6a22\UnifiedStub-installer.exe\assembly\dl3\227196bc\4bda1b67_b46edb01\rsLogger.DLL

Filesize
184KB

MD5
fc8de051d985a692bb9ad325e6e14a8f

SHA1
81489f398b5d4b5ebd4c1ce7efe756c4bd85cec2

SHA256
631d0bc5853178aa266c4209858202399c98eb4519048e41b3bea664250637fc

SHA512
725f239ceb41ca50806f565c34e0258a15ee1b5ce69233c9c88faae02e7eee6af57b9aaa973ffc6d375294eef3fad49c8bb75e1b6997fe9a48c23f71188d00f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\50c7a8c3-1933-4387-92d2-d2aa546b6a22\UnifiedStub-installer.exe\assembly\dl3\54d96ee9\5972dfdd_924cdb01\__AssemblyInfo__.ini

Filesize
176B

MD5
2d48ccf3e183af56136460486be9c94c

SHA1
7ab0fd82583d7ba7e680e100fd91874e33f6d024

SHA256
06310d5aa16f5aa11b9807f737fd9836d222a9a1c300ca59175e48092afbc921

SHA512
bfa0aca82fa0a01020a37f8074b4f520cdf4f2b5c5df41abb6e9daa1a1edab614844e3de7217b4365ff97942eafefedc794f4b5e63eadbedc5003b125b254cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\50c7a8c3-1933-4387-92d2-d2aa546b6a22\UnifiedStub-installer.exe\assembly\dl3\8a3de286\4bda1b67_b46edb01\rsJSON.DLL

Filesize
221KB

MD5
e6d26ca0d1d41e2c34c254a0c3d94121

SHA1
f33ef0924d016740dcc48b457355d6edb9602300

SHA256
ae36f8f0985a5e0c8a0dbea7972ad0b6df9d0a446adbd7bc8a11bd2c62f60256

SHA512
b9fed47e4bc61c2133d9e5222feb2284cba78ddd7eefdaaafab34477b84598617a3dd59b90d10192ee61730f8e3b3135cea4f2f41ec790f4300ad2b53a0be412

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\50c7a8c3-1933-4387-92d2-d2aa546b6a22\UnifiedStub-installer.exe\assembly\dl3\dd2e8d23\4bda1b67_b46edb01\rsServiceController.DLL

Filesize
189KB

MD5
4f4525778ccc5a7c3ee2b09021e463fe

SHA1
badd0ebb7d42cb50d670bfdf1f230c97618e9812

SHA256
db698b7d02151014f4d7e53354440736e328aaa12a848973559e37c360189a76

SHA512
a182115ff0297229948acf7f3591f5cacd7eb7ef7d891821ace686c526781c1a002b34570b1946d100e0022b73e01e8b39be2c176cf9b1d6d229b6ce398350d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\50c7a8c3-1933-4387-92d2-d2aa546b6a22\UnifiedStub-installer.exe\assembly\dl3\e388ff0b\ab161767_b46edb01\Reason.PAC.DLL

Filesize
173KB

MD5
66c5f34612aef14b2abac077089f3f2f

SHA1
612ad4d44eb0cfefe11eb33e210732a2a6cca0de

SHA256
93a29ba3f1a7c065376019fbf002a0e8e18876b58e9fef46eec0170ce4cb719d

SHA512
c59580c24bce84dbaaa3ffd8bd9f245411a0f5d273652d6a320c069ed4ad1fe3ba29984c58692de188ab3529d8e53d292a171cdc41ce9c31e11726a614ac4a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\6f676fd6-5251-4136-a91e-b88e422a13ee\UnifiedStub-installer.exe\assembly\dl3\3598c912\dd5e1f59_b46edb01\rsLogger.DLL

Filesize
184KB

MD5
cc6bc0d521dab3ad83afd3631756b51e

SHA1
7a5d04946d482e06ffc01703cd55968e1dc285b4

SHA256
7b7dc854442205ee212a7423096ed6fd0e2e4aeb501448beaaf1cbbb098d2ca5

SHA512
856a25832f519e8bbe5306d62443abf66a03a56d74d91423410add9daeb77b4af4732b6a9016ae208e67a8ecdf8824126dc7b18bce396b9d4e30789ea2b865bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\6f676fd6-5251-4136-a91e-b88e422a13ee\UnifiedStub-installer.exe\assembly\dl3\60e2c35b\dd5e1f59_b46edb01\Reason.PAC.DLL

Filesize
173KB

MD5
ab5f04321043cbc7f8454dda389c7f6a

SHA1
efb63c9ce2112d5a341196c1aebfe969b4176caa

SHA256
7d8f53999c172889160132c710674522768a792946ddd8e10858489fbdff98f1

SHA512
3469cac287a5d0d99359fb8e9ad267acd97c278033c5df3d0c7d49f17126ca135238ba1fe72995baad8b87a338af781740444621db10e72828845ac46aedaeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\6f676fd6-5251-4136-a91e-b88e422a13ee\UnifiedStub-installer.exe\assembly\dl3\eb81f27d\dd5e1f59_b46edb01\rsServiceController.DLL

Filesize
182KB

MD5
2c66dd48d4ed60966833c1fb2a6303f1

SHA1
113162868af92263cf30ac9fc48e2c66d1bfc052

SHA256
c1ce03e36099c07e3e556f136a4054e55078284028dc2a7708468166058834e7

SHA512
ec573517d9237d7bc76225a94ad24ddbe8c3bc0b052d76894a5191c35053712112058514a315e47017afda505e3cdfce2e7ad7ae4f8058351c914136a1034e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\6f676fd6-5251-4136-a91e-b88e422a13ee\UnifiedStub-installer.exe\assembly\tmp\Y2XKM0FU\Newtonsoft.Json.DLL

Filesize
699KB

MD5
b91a440971f3c9b6731ac4e832bcc646

SHA1
17952983caacfbaabbffb142c37fa55a5598474f

SHA256
04fcae680d634c3e4a6c37f5ea2cd9fb30869be1211cead7a2d7407d213fb136

SHA512
b3c6b1ea97dd6fa1cee0d303a459d3592b6300d6304c78033e082cb6136d1d5217911b5b0864a717e5534b1b92bc06335a4aaea62b8cc857a7495dccb1d6532e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
2dee8fdc13496591f9a6062716713da9

SHA1
98635af8dda9ce103f0e562ea3f74d3894208eae

SHA256
2656bc7e9dc763723185b043bd2f2d34520802cec40f8284b23a92b85bef9355

SHA512
7f370e6a65461bad1ff7e6d20c69dc3a6916013b457892fd7ff733dd96872e2012f6cce8d9f2c29c71341b70504cc74072747c656bd909508caca96822e95119

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\a7385cfd-52ee-4f95-bcb6-2946d8a56659\UnifiedStub-installer.exe\assembly\dl3\1c72f876\fbdb1d50_b46edb01\rsLogger.DLL

Filesize
190KB

MD5
31952a4ea85485117283febda5b02586

SHA1
9b1ca14a4763c7343969be4bd9b52157a2de008e

SHA256
f870177eadcc0b2b1800d2e1cfdc7f33cc3e340d258dd598c0d747d2bdf019dc

SHA512
b1b9b0d7dd1734f2b31ae00a39538eec163884bd40dea15dea8c5bc636445ff73f1df83e647a30ec397e02f807ae8602bc185c0c2f6d92035e570492e28adfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\a7385cfd-52ee-4f95-bcb6-2946d8a56659\UnifiedStub-installer.exe\assembly\dl3\34018649\be022550_b46edb01\rsServiceController.DLL

Filesize
190KB

MD5
8ae26e9f3e5ea4141a369077ae1254f7

SHA1
d2205c9c2e6a94f57101bf2db86d52bd6354d608

SHA256
76e7dfb340bdc1df7a3936e6a1be2a311ab1e5e172d07fe8172095630e17b3ec

SHA512
44c1e8cab28b7f97a783e66b6d8a908a5b08c61fe25946dba678b2ecd047ef50842032944b7808079127d07059ab085489fd9651c1c248c242e8fc29386a3617

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\a7385cfd-52ee-4f95-bcb6-2946d8a56659\UnifiedStub-installer.exe\assembly\dl3\a28c7963\e78d0f50_b46edb01\Reason.PAC.DLL

Filesize
172KB

MD5
575eb8d7d96ffa6a1a0e6e4d5c3f2bd6

SHA1
2cbec01646565e796107309f412b6c168fd18ceb

SHA256
b0d8128606f3252da30061c7d254fd6253d21bfe6d557193448ef54ef8f3dc3f

SHA512
91d1ca08d2e79ad49668821b6c4eb3d3bbfd95804052a10415450ee31305a67d8e3d76c7b575c26d195695c2127dcd58f426af4f4903901e52bb4816f4cc99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\a7385cfd-52ee-4f95-bcb6-2946d8a56659\UnifiedStub-installer.exe\assembly\dl3\d276301a\fbdb1d50_b46edb01\rsJSON.DLL

Filesize
221KB

MD5
340072b8102fe1aaff19529b911b6ad6

SHA1
597a7f9549971db2ece809413e18f7ec6e38ced2

SHA256
a70dee00c9d360e934475d757b3e7aba26ac64219f5013b50567424e8973b2f6

SHA512
79d73faafd5a7c7029bc7d5709e40f8560497b0cb32ee9b3e6c851d18a95f51b28b09f1a5a1dcab723ed5a03731e485e45d991378a0056d2e4ab51633f52f8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\rsLogger.dll

Filesize
188KB

MD5
300d10b8ef710d8dc2c027f5a68ef2a3

SHA1
726912345e215dee4a21e0dde4ceed6e7148a4b2

SHA256
da49551cae8273258b40f74549a12a5d619fb97fd99c0213faf592e48fec2105

SHA512
9e15252cecd685cbc25213d561996e8309f98bee2f772ef7aa493ae6f2b2512409eead8da06f1a91bcb42f929c0e73a040f252a7e7b97bdd6efa65189918b410

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS41FAB198\rsStubLib.dll

Filesize
277KB

MD5
19ea24b275cf176f635fb2b827b9eab9

SHA1
ed0171bd2d3cd0129e34aa8181ed31f7cd18e66f

SHA256
820fa960ae79423dba007f2c15610fd398c213de2be1d2e12c25f3f2f6208a9b

SHA512
5901015f86cd6c05a1eca43c9d29815aaec293e5831221af957b9655e9b1253125631d4e1ea8866d2b6aae8a05fcb386fa548d1e7150be53ab30b00784fded72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{C35B2462-5202-4D9E-BA6E-8FA71291C6C3}\ADDRESSES.TMP.FILETEST

Filesize
28B

MD5
b6d520474c5e852738d57bd6249b22b6

SHA1
c0511c70f85357ae6011b46a55ab51d15d114502

SHA256
029e56ad5c2da0b8f305c3c2ad73204822e5f64e1aaea803bfd3fbc57bd47e91

SHA512
b2807d55711acf86adc2b347f5edca567e84c9be2c2da48d68788b8cb30a991584d9a626b2af40a72c632625b05c62a8647e0edc119717b85b63d2224f5e41da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_250124230336384808.dll

Filesize
5.0MB

MD5
6f809bbbe1275e1e71427ff63165fcff

SHA1
c2a1726e038fbf7c583b0bb5faac91829dac7ba8

SHA256
51d12738523cabf3b96b9bed29ff882a36233a59c97a01e691552c547f0d733e

SHA512
dad32cfc4d04540c00d5f184c2c1d9b96b391acf563818490426f5e6051722a81a8f35e73142d79599c2c557fc78de5680481c1b47749bcda99148cbd273c2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FiveM Hack V1.exe

Filesize
25.9MB

MD5
ff96f2cc9bb0e983f2cc7507e4ef2ac9

SHA1
4bd152be16651f69db0df76e7af0024f9ebf28d5

SHA256
a09a8265d885b78ba09912dd4a5531ff1754989ed9424b8e33e0b1a404215e37

SHA512
bc5c0abfd7dc7bb0db83c2c1cd87f6514f9bf5da5ed7036e64d80baae97828d4417432128cf96a274bf359c0c8d267e77e48793f10deffd2aa6b62569136e863

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\CheatEngine75.exe

Filesize
3.1MB

MD5
609fea742d34dc1d53f0eeb4873b1a0a

SHA1
3232c52da3cb8f47a870162a35cdd75fcae60aea

SHA256
e2e15826b69778e381f25ac8f2b109a377b23f7cf79b5f482e81f4d28c30f95e

SHA512
27da89901268d153fd7158162fc8f2f3b99ec9a4aa24c281f93b500466552af776b00f0a33182386a62934c3e553561cbc23d3f5ebb0ea0366c04e046e1bcc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Client.exe

Filesize
31KB

MD5
fcbf5b75ec9a1d8b94ba124211ddfcd4

SHA1
b332dbc86f5b4ad20b4f6346f839ded949e5e48c

SHA256
90acd35563ad1b3bbb0b20b8e390eb1b43f39a02397fdfe69738fbd98d9d749d

SHA512
9cfef0a42ec78376a988c421c9350d097895dadf9e5f85833d22c29e17818fd17552278aae5e1f704e4703544d3d7caaab0fd69944c8fcc60e2019760928a6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Rename_Z60IHLDjO6.exe

Filesize
37.2MB

MD5
62b8cb69f7c3ce2c5a843a8fa66b580f

SHA1
5f0440dface4bb25bbe3ee0a7dc7223b36eca37a

SHA256
8c586ec7de39427fa8fc2480c10eb2e04728793e2033e3103ed140f1b4cfb535

SHA512
ffc19d8d3f5cd6be99065203e5fc59ad993122c9bab91c243f62390e2aff6b710a63fe0c84776822fcd5ab195eb6cfa94ed7275d0ba336d50fa32afb26141e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

Filesize
23KB

MD5
716ba39c8bd18c0951556f003a3e0265

SHA1
9e1b07c0b856e79578819ba0189f612c318e5397

SHA256
a48829328e55cdc5eb657cf372c680a1ffee282b25503997ef1aa00948ae6d6c

SHA512
f654b52c049d64aee9019ca33c235dc9c50f8d4bfbec1e74a3cd5d0f0530573b01ca8db7518379d8a10675e1234bf8bb349a3b5196ca184d9e3b6ad0b81a239c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee84c2ca-ad04-416c-92ae-b5675b6ebd17.tmp.ico

Filesize
278KB

MD5
ce47ffa45262e16ea4b64f800985c003

SHA1
cb85f6ddda1e857eff6fda7745bb27b68752fc0e

SHA256
d7c1f9c02798c362f09e66876ab6fc098f59e85b29125f0ef86080c27b56b919

SHA512
49255af3513a582c6b330af4bbe8b00bbda49289935eafa580992c84ecd0dfcfffdfa5ce903e5446c1698c4cffdbb714830d214367169903921840d8ca7ffc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0jncbrq.exe

Filesize
2.4MB

MD5
8315daa24bb9f05c1e6163fa86a11a4f

SHA1
033d56632127c54e6713c8105dba9cda171b33cf

SHA256
10127b27a28912be03cc01e634b9c12f0f25766954d39d9d8f924cb83561c41e

SHA512
7a7430d01f5254b7f8f89c9f667cb7d2c875943c46bca978cd52499730a62e6f04ee841be9e1917208519d440bc83f53bde97ab8a021b5b8277b860d8150ddc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\CheatEngine75.exe

Filesize
26.1MB

MD5
e0f666fe4ff537fb8587ccd215e41e5f

SHA1
d283f9b56c1e36b70a74772f7ca927708d1be76f

SHA256
f88b0e5a32a395ab9996452d461820679e55c19952effe991dee8fedea1968af

SHA512
7f6cabd79ca7cdacc20be8f3324ba1fdaaff57cb9933693253e595bfc5af2cb7510aa00522a466666993da26ddc7df4096850a310d7cff44b2807de4e1179d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\Opera_new.png

Filesize
49KB

MD5
b3a9a687108aa8afed729061f8381aba

SHA1
9b415d9c128a08f62c3aa9ba580d39256711519a

SHA256
194b65c682a76dc04ce9b675c5ace45df2586cc5b76664263170b56af51c8aeb

SHA512
14d10df29a3bb575c40581949d7c00312de08bb42578b7335792c057b83ab2878d44c87042bbdb6ec8ceaf763b4fbd8f080a27866fe92a1baf81c4f06705a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\logo.png

Filesize
258KB

MD5
6b7cb2a5a8b301c788c3792802696fe8

SHA1
da93950273b0c256dab64bb3bb755ac7c14f17f3

SHA256
3eed2e41bc6ca0ae9a5d5ee6d57ca727e5cba6ac8e8c5234ac661f9080cedadf

SHA512
4183dbb8fd7de5fd5526a79b62e77fc30b8d1ec34ebaa3793b4f28beb36124084533e08b595f77305522bc847edfed1f9388c0d2ece66e6ac8acb7049b48ee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\installer.exe

Filesize
22.8MB

MD5
c2ccb9b9b134d57698d56a43a39d51eb

SHA1
18fd45fb1ecbe0205d570605a9d99392d2454335

SHA256
2c5fb7aac08d2ab67d600921ee8e82ccb9216f989260838e850208ab2bfee46f

SHA512
1e26c7e78fc464c9159a02f4acbea3000ff570064f769e596722d48d041053f2891a8c15c0b85017fd0e9949d31de9ac8cef772a17eef0db29cff237f56cdba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod0_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod1.zip

Filesize
2.1MB

MD5
124026b844538dc89d3927536e9041f1

SHA1
9ecfa235859c68fed8873929eed69ccadf36e465

SHA256
cbb1080c3ee496b81b667295080b7d83dfb897bb7fc37045fa99b74a8e8c2d4b

SHA512
8833d39f33cae5ef11f68de50d7a0138994274426b15d1abc5ee2efd5d9a31611705d8701ca5408d72b895a9b79bd502a779104551181a026c46b42938f6b569

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod1_extract\OperaSetup.exe

Filesize
2.1MB

MD5
4070ff0ebad6c2085bb327d929c58218

SHA1
53044a262a1e17bd990199b35e91a2ba4abfc970

SHA256
ddee2639f4f4baf7fe65bf6431de23f3aa75999500ff0ad58e5e1f6062d523df

SHA512
7802e8a3b9fd731aedd28508efe0c4a6ca0f553b8d1dce8b5e472204c110d74afa4c7674e8289a48bc448178867dd0cef25846bef573589b8012bc44a4cb5c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\prod2.exe

Filesize
32KB

MD5
34993f00cf2bfdf9a9750d371d106301

SHA1
7ece3b7700e04ec96cd3dcbe85fbe5769c061b87

SHA256
7c6b0b11a37b4c5a168e86cefaf95e6aa3205ae7c6b87c33da5d33ae06d0e8da

SHA512
af6d653ede37372e79c2a2f068304bd95372baaccf2da7715534246a939ffe53f83d16c2362c51e5ec6a52e20210b8336e4551ec6f8f0f9b7ede20c12f33f508

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GEBNA.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
fad0877741da31ab87913ef1f1f2eb1a

SHA1
21abb83b8dfc92a6d7ee0a096a30000e05f84672

SHA256
73ff938887449779e7a9d51100d7be2195198a5e2c4c7de5f93ceac7e98e3e02

SHA512
f626b760628e16b9aa8b55e463c497658dd813cf5b48a3c26a85d681da1c3a33256cae012acc1257b1f47ea37894c3a306f348eb6bd4bbdf94c9d808646193ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTMOE.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
9aa2acd4c96f8ba03bb6c3ea806d806f

SHA1
9752f38cc51314bfd6d9acb9fb773e90f8ea0e15

SHA256
1b81562fdaeaa1bc22cbaa15c92bab90a12080519916cfa30c843796021153bb

SHA512
b0a00082c1e37efbfc2058887db60dabf6e9606713045f53db450f16ebae0296abfd73a025ffa6a8f2dcb730c69dd407f7889037182ce46c68367f54f4b1dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O8LU3.tmp\CheatEngine75.tmp

Filesize
2.9MB

MD5
1cdbf6da4defe32c9cb5908968a02fab

SHA1
d1a5eb2928d718d7a1517187f523c701c141b659

SHA256
87c1bb2236a874c97369b2cca0d55559fa917707cebddf7a5eabc691f8302487

SHA512
215697cae7ec2ba27fbc0b9208cb8676e27d21e55e0184fc68cbd1c1bd57863daf29348ea677e97af84628800ba15e6db884df872c3adc673a3cd7faed2888b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwaD4C0.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
c047e14a7b3356e8453580613b218213

SHA1
8bea40b714d1b7d6f1a1ff64ea490c7074ac8ea1

SHA256
fc98f16615b039832f04ff6d4703f8d1b3678f232364db0f76318cf1fe6eb0ca

SHA512
be724924ba73398bc9ba1efa685a79d10d868a64797896169c3b6b2d4e44c1cb72a27205a9d7802acff99834574b09c97f3d43af282f1c27f335c8d7719ccd3d

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\DNS\Network\Network Persistent State

Filesize
500B

MD5
47c4acbb915b4bbc48e4ce3bcce1945b

SHA1
b28aa539d7439ee633732e9b179e2b68abac822f

SHA256
e236dab2ebb658387b92a0fe5c8f03ac6a07ab8501649b781f256f9f2330740c

SHA512
fe1cd15ed1e149e3733c040473a9e5e559f167fa95064453f8e9109ab38c6a3e00844cda8837fcbeb40d162c5be79337ff6becff52cdee76dd307a207555a02b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\96c10776-0fa5-499d-b910-450cfdcf7080.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\Network\Network Persistent State

Filesize
300B

MD5
04a5f586ffb5092c98cd4cdc121f9300

SHA1
e81838010e1272e0d7b6c2b0c2b91458bc9061a7

SHA256
d10f118b9b45143b6e506a257ab98ea0fc26298b0ab44a1a6fded13131e7d780

SHA512
e7a7ed4d5ca4140064d97e0c195fa01cd4a7614c044bb79107b467c8d234ceea8cd67e6557398845336d0aa711db8d676cd1324a75d1bb71091696ec1fd0a602

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP\dfedc017-c025-4c69-839e-aa31b30565bf.tmp

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Network\Network Persistent State

Filesize
500B

MD5
b5db9505e08bc875ef4dcedbaadfe744

SHA1
84a7b5b2696257c6ec62c528eea121c05c653972

SHA256
80507352b6ed54072d81c95ef9b2ed2c1808c09244931d5b9eeeec3d4c1451a9

SHA512
2c83073b8f264df2d62d7e333ec8ffa126071f3716cb9d6819847a5e5bfdbf1c646d3c7b784168de2c8d32fd41f545a20b3eb14f6a9ab8028e32b3334ad0482e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\ReasonLabs\VPN\Partitions\plan-picker_2.20.0\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Windows\System32\drivers\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
memory/220-542-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/220-205-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2332-630-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-536-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-633-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-620-0x00007FF6C1FD0000-0x00007FF6C1FE0000-memory.dmp

Filesize
64KB

Download
memory/2332-574-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-576-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-581-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-573-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-632-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-572-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-571-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-570-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-578-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-607-0x00007FF6B3730000-0x00007FF6B3740000-memory.dmp

Filesize
64KB

Download
memory/2332-533-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-666-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-567-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-534-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-579-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-565-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-535-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-575-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-538-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-667-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-629-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-563-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-668-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-580-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-544-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-545-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-583-0x00007FF6DB730000-0x00007FF6DB740000-memory.dmp

Filesize
64KB

Download
memory/2332-628-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-558-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-594-0x00007FF6B3730000-0x00007FF6B3740000-memory.dmp

Filesize
64KB

Download
memory/2332-612-0x00007FF6B3730000-0x00007FF6B3740000-memory.dmp

Filesize
64KB

Download
memory/2332-548-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-669-0x00007FF705410000-0x00007FF705420000-memory.dmp

Filesize
64KB

Download
memory/2332-611-0x00007FF6B3730000-0x00007FF6B3740000-memory.dmp

Filesize
64KB

Download
memory/2332-551-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-609-0x00007FF6B3730000-0x00007FF6B3740000-memory.dmp

Filesize
64KB

Download
memory/2332-577-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-556-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2332-555-0x00007FF6F37A0000-0x00007FF6F37B0000-memory.dmp

Filesize
64KB

Download
memory/2736-58-0x0000000006380000-0x000000000638F000-memory.dmp

Filesize
60KB

Download
memory/2736-71-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2736-372-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2736-72-0x0000000006380000-0x000000000638F000-memory.dmp

Filesize
60KB

Download
memory/2736-96-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2736-97-0x0000000006380000-0x000000000638F000-memory.dmp

Filesize
60KB

Download
memory/4184-70-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4184-31-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4236-176-0x000001DF9AE80000-0x000001DF9B3A8000-memory.dmp

Filesize
5.2MB

Download
memory/4236-175-0x000001DF80510000-0x000001DF80518000-memory.dmp

Filesize
32KB

Download
memory/4344-5448-0x0000016B75130000-0x0000016B7513A000-memory.dmp

Filesize
40KB

Download
memory/4344-5447-0x0000016B75450000-0x0000016B75466000-memory.dmp

Filesize
88KB

Download
memory/4344-5451-0x0000016B762A0000-0x0000016B762AA000-memory.dmp

Filesize
40KB

Download
memory/4344-5450-0x0000016B76280000-0x0000016B76288000-memory.dmp

Filesize
32KB

Download
memory/4344-5390-0x0000016B73880000-0x0000016B738AE000-memory.dmp

Filesize
184KB

Download
memory/4344-5393-0x0000016B741C0000-0x0000016B74272000-memory.dmp

Filesize
712KB

Download
memory/4344-5443-0x0000016B74E70000-0x0000016B74ECE000-memory.dmp

Filesize
376KB

Download
memory/4344-7072-0x0000016B77910000-0x0000016B77918000-memory.dmp

Filesize
32KB

Download
memory/4344-5439-0x0000016B75160000-0x0000016B75450000-memory.dmp

Filesize
2.9MB

Download
memory/4592-7027-0x0000018CE8B60000-0x0000018CE8C12000-memory.dmp

Filesize
712KB

Download
memory/4592-645-0x0000018CE7FE0000-0x0000018CE8038000-memory.dmp

Filesize
352KB

Download
memory/4592-7040-0x0000018CE8AD0000-0x0000018CE8B00000-memory.dmp

Filesize
192KB

Download
memory/4592-3386-0x0000018CE8AA0000-0x0000018CE8AF8000-memory.dmp

Filesize
352KB

Download
memory/4592-7050-0x0000018CE8AD0000-0x0000018CE8AFE000-memory.dmp

Filesize
184KB

Download
memory/4592-5084-0x0000018CE8B00000-0x0000018CE8B3A000-memory.dmp

Filesize
232KB

Download
memory/4592-7063-0x0000018CE8B60000-0x0000018CE8B90000-memory.dmp

Filesize
192KB

Download
memory/4592-377-0x0000018CCDD10000-0x0000018CCDD58000-memory.dmp

Filesize
288KB

Download
memory/4592-3353-0x0000018CE89B0000-0x0000018CE8A00000-memory.dmp

Filesize
320KB

Download
memory/4592-375-0x0000018CCD7F0000-0x0000018CCD8FA000-memory.dmp

Filesize
1.0MB

Download
memory/4592-5095-0x0000018CE8B00000-0x0000018CE8B32000-memory.dmp

Filesize
200KB

Download
memory/4592-5105-0x0000018CE8B00000-0x0000018CE8B2E000-memory.dmp

Filesize
184KB

Download
memory/4592-640-0x0000018CE8040000-0x0000018CE80F2000-memory.dmp

Filesize
712KB

Download
memory/4592-5119-0x0000018CE8BF0000-0x0000018CE8C22000-memory.dmp

Filesize
200KB

Download
memory/4592-541-0x0000018CCF520000-0x0000018CCF552000-memory.dmp

Filesize
200KB

Download
memory/4592-641-0x0000018CCF560000-0x0000018CCF582000-memory.dmp

Filesize
136KB

Download
memory/4592-642-0x0000018CCF5B0000-0x0000018CCF5E0000-memory.dmp

Filesize
192KB

Download
memory/4592-5693-0x0000018CE8A00000-0x0000018CE8A4E000-memory.dmp

Filesize
312KB

Download
memory/5420-5358-0x0000020CC4CB0000-0x0000020CC4E70000-memory.dmp

Filesize
1.8MB

Download
memory/5420-5359-0x0000020CAA4B0000-0x0000020CAA4DA000-memory.dmp

Filesize
168KB

Download
memory/5420-5356-0x0000020CAA4B0000-0x0000020CAA4DA000-memory.dmp

Filesize
168KB

Download
memory/6436-5185-0x0000028BB5340000-0x0000028BB56A6000-memory.dmp

Filesize
3.4MB

Download
memory/6436-5186-0x0000028BB5150000-0x0000028BB52CC000-memory.dmp

Filesize
1.5MB

Download
memory/6436-5188-0x0000028B9C6A0000-0x0000028B9C6C2000-memory.dmp

Filesize
136KB

Download
memory/6436-5187-0x0000028B9C650000-0x0000028B9C66A000-memory.dmp

Filesize
104KB

Download
memory/6760-5157-0x000001D273F40000-0x000001D273F7C000-memory.dmp

Filesize
240KB

Download
memory/6760-5142-0x000001D273AB0000-0x000001D273ADE000-memory.dmp

Filesize
184KB

Download
memory/6760-5156-0x000001D273EC0000-0x000001D273ED2000-memory.dmp

Filesize
72KB

Download
memory/6760-5143-0x000001D273AB0000-0x000001D273ADE000-memory.dmp

Filesize
184KB

Download
memory/6940-7095-0x0000017CBF030000-0x0000017CBF06C000-memory.dmp

Filesize
240KB

Download
memory/6940-7077-0x0000017CBF030000-0x0000017CBF06C000-memory.dmp

Filesize
240KB

Download
memory/6940-7106-0x0000017CD9630000-0x0000017CD9662000-memory.dmp

Filesize
200KB

Download
memory/6940-7107-0x0000017CDA5F0000-0x0000017CDAC08000-memory.dmp

Filesize
6.1MB

Download
memory/6940-7108-0x0000017CC0E30000-0x0000017CC0E54000-memory.dmp

Filesize
144KB

Download
memory/6940-7134-0x0000017CDA340000-0x0000017CDA572000-memory.dmp

Filesize
2.2MB

Download
memory/6940-7105-0x0000017CBF4A0000-0x0000017CBF4DE000-memory.dmp

Filesize
248KB

Download
memory/6940-7085-0x0000017CBF6A0000-0x0000017CBF6F8000-memory.dmp

Filesize
352KB

Download
memory/6940-7081-0x0000017CBF470000-0x0000017CBF496000-memory.dmp

Filesize
152KB

Download
memory/7472-7188-0x00000258BF710000-0x00000258BF73E000-memory.dmp

Filesize
184KB

Download
memory/7472-7174-0x00000258BF2D0000-0x00000258BF2F8000-memory.dmp

Filesize
160KB

Download
memory/7472-7178-0x00000258BF360000-0x00000258BF38E000-memory.dmp

Filesize
184KB

Download
memory/7472-7182-0x00000258BF770000-0x00000258BF7CE000-memory.dmp

Filesize
376KB

Download
memory/7472-7166-0x00000258BF250000-0x00000258BF290000-memory.dmp

Filesize
256KB

Download
memory/7472-7162-0x00000258BF1C0000-0x00000258BF206000-memory.dmp

Filesize
280KB

Download
memory/7472-7152-0x00000258BF0A0000-0x00000258BF0D0000-memory.dmp

Filesize
192KB

Download
memory/7472-7194-0x00000258C00C0000-0x00000258C00C8000-memory.dmp

Filesize
32KB

Download
memory/7472-7170-0x00000258BF100000-0x00000258BF130000-memory.dmp

Filesize
192KB

Download
memory/7472-7173-0x00000258BF130000-0x00000258BF156000-memory.dmp

Filesize
152KB

Download
memory/7472-7197-0x00000258C0DB0000-0x00000258C0E36000-memory.dmp

Filesize
536KB

Download
memory/7584-5449-0x0000017A00000000-0x0000017A005A4000-memory.dmp

Filesize
5.6MB

Download
memory/7584-5388-0x00000179FDC70000-0x00000179FDC9E000-memory.dmp

Filesize
184KB

Download
memory/7584-7205-0x00000179FFA20000-0x00000179FFB20000-memory.dmp

Filesize
1024KB

Download
memory/7584-7201-0x00000179FF8E0000-0x00000179FF912000-memory.dmp

Filesize
200KB

Download
memory/7584-7196-0x00000179FEC80000-0x00000179FECA8000-memory.dmp

Filesize
160KB

Download
memory/7584-7191-0x00000179FEC50000-0x00000179FEC74000-memory.dmp

Filesize
144KB

Download
memory/7584-5446-0x00000179FEBB0000-0x00000179FEC16000-memory.dmp

Filesize
408KB

Download
memory/7584-5445-0x00000179FE170000-0x00000179FE19A000-memory.dmp

Filesize
168KB

Download
memory/7584-5444-0x00000179FE230000-0x00000179FE2E2000-memory.dmp

Filesize
712KB

Download
memory/7584-5442-0x00000179FE100000-0x00000179FE126000-memory.dmp

Filesize
152KB

Download
memory/7584-5438-0x00000179FD2A0000-0x00000179FD2C6000-memory.dmp

Filesize
152KB

Download
memory/7584-5437-0x00000179FE0C0000-0x00000179FE0FA000-memory.dmp

Filesize
232KB

Download
memory/7584-5405-0x00000179FE050000-0x00000179FE0B6000-memory.dmp

Filesize
408KB

Download
memory/7584-5394-0x00000179FE920000-0x00000179FEBA6000-memory.dmp

Filesize
2.5MB

Download
memory/7584-5392-0x00000179FDCA0000-0x00000179FDCEF000-memory.dmp

Filesize
316KB

Download
memory/7584-5389-0x00000179FDD00000-0x00000179FDD5E000-memory.dmp

Filesize
376KB

Download
memory/7584-5391-0x00000179FE5B0000-0x00000179FE919000-memory.dmp

Filesize
3.4MB

Download
memory/7584-7167-0x00000179FE1A0000-0x00000179FE1E2000-memory.dmp

Filesize
264KB

Download
memory/7584-5387-0x00000179FDBC0000-0x00000179FDBF0000-memory.dmp

Filesize
192KB

Download
memory/7584-5373-0x00000179FE300000-0x00000179FE5A2000-memory.dmp

Filesize
2.6MB

Download
memory/7584-5362-0x00000179FDB90000-0x00000179FDBBA000-memory.dmp

Filesize
168KB

Download
memory/7584-5357-0x00000179FD3C0000-0x00000179FD3E4000-memory.dmp

Filesize
144KB

Download
memory/7584-5309-0x00000179FD330000-0x00000179FD356000-memory.dmp

Filesize
152KB

Download
memory/7584-5235-0x00000179FD550000-0x00000179FD582000-memory.dmp

Filesize
200KB

Download
memory/7584-5234-0x00000179FD510000-0x00000179FD548000-memory.dmp

Filesize
224KB

Download
memory/7584-5233-0x00000179FD590000-0x00000179FD60A000-memory.dmp

Filesize
488KB

Download
memory/7584-5232-0x00000179FDB00000-0x00000179FDB88000-memory.dmp

Filesize
544KB

Download
memory/7584-7171-0x00000179FFB60000-0x00000179FFDE0000-memory.dmp

Filesize
2.5MB

Download
memory/7584-7189-0x00000179FE1F0000-0x00000179FE222000-memory.dmp

Filesize
200KB

Download
memory/7584-7190-0x00000179FD3F0000-0x00000179FD3F8000-memory.dmp

Filesize
32KB

Download
memory/8028-5192-0x000002A31B8C0000-0x000002A31B91A000-memory.dmp

Filesize
360KB

Download
memory/8028-5191-0x000002A301860000-0x000002A301888000-memory.dmp

Filesize
160KB

Download
memory/8028-5190-0x000002A301410000-0x000002A30145A000-memory.dmp

Filesize
296KB

Download
memory/8028-5193-0x000002A301410000-0x000002A30145A000-memory.dmp

Filesize
296KB

Download
memory/8028-5203-0x000002A31C320000-0x000002A31C364000-memory.dmp

Filesize
272KB

Download
memory/8028-5228-0x000002A31C9D0000-0x000002A31CC28000-memory.dmp

Filesize
2.3MB

Download