f81c79de1b8bec0ffcd299c964d8cf0bee0d983ab465b693dbfd7347d2c64f87

Resubmissions

01-07-2024 13:59

240701-ramdaayfpp 10

06-06-2023 19:05

230606-xr1j5afb28 8

Analysis

max time kernel
270s
max time network
274s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-64-6.21-installer_AmGAP-1.exe
Size

1.7MB
MD5

17b1ea1089ccf5e5ef81c5dfafdb90ff
SHA1

af0c22f715c97474303ff13364a71280c1d0f698
SHA256

f81c79de1b8bec0ffcd299c964d8cf0bee0d983ab465b693dbfd7347d2c64f87
SHA512

3e90c90477075856f77194cb6842501402f4eb49a68df84f5f3d49b5a8edae012e257908483c8451bc20bb89755c0b51c94c9499f4e3b6b85e88f8722e6d6a73
SSDEEP

24576:f7FUDowAyrTVE3U5Fmuj6C9FPusBoPwbpm90jiJ/65kr2kLgaJyLHbTVYyT:fBuZrEUr6CzmsBoYbpUF65GzOB

Score

8^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

UnifiedStub-installer.exe

description	ioc	process
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Downloads MZ/PE file
Drops file in System32 directory 1 IoCs

Processes:

rsWSC.exe

description ioc process

File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log rsWSC.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log	rsWSC.exe

Drops file in Program Files directory 64 IoCs

Processes:

installer.exeinstaller.exeUnifiedStub-installer.exeServiceHost.exe

description	ioc	process
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ss-toast-variants-rebranding.js	installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\jslang\wa-res-install-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\wa_install_close.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-ko-KR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-overlay-ui.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\score-toast-ui\wa-score-toast-confirm.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-pt-BR.js	installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\wa-core.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\wsssetting.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-el-GR.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\fa.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\transmitters\transmit_aws.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\ui\app.asar.unpacked\electron\node_modules\@reasonsoftware\windows-notification-state\prebuilds\win32-x64\node.napi.node	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Data.Common.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\wa-ui-uninstall.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-sstoast-toggle.html	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\libEGL.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\toggle_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\smart_toasting\smart_toast_config_manager.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\switch_off.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-zh-CN.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-webboost-hr-HR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.Pipes.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\wa_logo.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ss-toast-variants.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-dialog-balloon-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\webadvisor_v2.mcafee.chrome.extension.json	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\wa-ch-store-overlay-ui.css	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ui-sstoast-bing.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-sr-Latn-CS.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\rules.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\vk_swiftshader.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\settings-icon-selected.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\logic_loader.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-es-ES.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Xml.XDocument.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-el-GR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\aj_logic.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\builtin\jquery-3.6.0.min.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\handlers\browsernavigate.luc	installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\jslang\eula-sr-Latn-CS.txt	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-ja-JP.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.IO.Compression.ZipFile.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\logic\usage_calculation.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-da-DK.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Drawing.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp2115385406\jslang\eula-da-DK.txt	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Globalization.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-checklist-ru-RU.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Security.Principal.Windows.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.4.2\locales\pt-PT.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.UDI.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-de-DE.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\wssatpassisttoast.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsJSON.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\aj_toasts\wa-aj-toast-toggle.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-upsell-toast-nb-NO.js	installer.exe

Executes dropped EXE 15 IoCs

Processes:

winrar-64-6.21-installer_AmGAP-1.tmpcomponent0.exesaBSI.exeepli0zih.exeUnifiedStub-installer.exersSyncSvc.exersSyncSvc.exeinstaller.exeinstaller.exeServiceHost.exeUIHost.exeupdater.exersWSC.exersWSC.exersWSC.exe

pid	process
3696	winrar-64-6.21-installer_AmGAP-1.tmp
2800	component0.exe
2220	saBSI.exe
4836	epli0zih.exe
804	UnifiedStub-installer.exe
4896	rsSyncSvc.exe
2588	rsSyncSvc.exe
4176	installer.exe
872	installer.exe
6104	ServiceHost.exe
4264	UIHost.exe
5132	updater.exe
7028	rsWSC.exe
7648	rsWSC.exe
7476	rsWSC.exe

Loads dropped DLL 16 IoCs

Processes:

winrar-64-6.21-installer_AmGAP-1.tmpinstaller.exeregsvr32.exeregsvr32.exeServiceHost.exeUIHost.exeUnifiedStub-installer.exe

pid	process
3696	winrar-64-6.21-installer_AmGAP-1.tmp
3696	winrar-64-6.21-installer_AmGAP-1.tmp
872	installer.exe
5020	regsvr32.exe
1888	regsvr32.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
804	UnifiedStub-installer.exe
804	UnifiedStub-installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exewinrar-64-6.21-installer_AmGAP-1.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winrar-64-6.21-installer_AmGAP-1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	winrar-64-6.21-installer_AmGAP-1.tmp
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ServiceHost.exeupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe

Modifies registry class 10 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rsWSC.exesaBSI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	rsWSC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 322881.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 322881.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

saBSI.exeUnifiedStub-installer.exeServiceHost.exeUIHost.exe

pid	process
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
2220	saBSI.exe
804	UnifiedStub-installer.exe
804	UnifiedStub-installer.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
4264	UIHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
4264	UIHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
4264	UIHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe
6104	ServiceHost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

fltmc.exe

pid process

7728 fltmc.exe

pid	process
7728	fltmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

Processes:

msedge.exe

pid	process
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

component0.exeUnifiedStub-installer.exewevtutil.exefltmc.exewevtutil.exersWSC.exersWSC.exersWSC.exe

description	pid	process
Token: SeDebugPrivilege	2800	component0.exe
Token: SeDebugPrivilege	804	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	804	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	804	UnifiedStub-installer.exe
Token: SeDebugPrivilege	804	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	4296	wevtutil.exe
Token: SeBackupPrivilege	4296	wevtutil.exe
Token: SeLoadDriverPrivilege	7728	fltmc.exe
Token: SeSecurityPrivilege	1156	wevtutil.exe
Token: SeBackupPrivilege	1156	wevtutil.exe
Token: SeDebugPrivilege	7028	rsWSC.exe
Token: SeDebugPrivilege	7648	rsWSC.exe
Token: SeDebugPrivilege	7476	rsWSC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

winrar-64-6.21-installer_AmGAP-1.tmpmsedge.exe

pid	process
3696	winrar-64-6.21-installer_AmGAP-1.tmp
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe
5876	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe
5876 msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

winrar-64-6.21-installer_AmGAP-1.exewinrar-64-6.21-installer_AmGAP-1.tmpcomponent0.exeepli0zih.exeUnifiedStub-installer.exesaBSI.exeinstaller.exeinstaller.exeregsvr32.exeServiceHost.exemsedge.exe

description	pid	process	target process
PID 2164 wrote to memory of 3696	2164	winrar-64-6.21-installer_AmGAP-1.exe	winrar-64-6.21-installer_AmGAP-1.tmp
PID 2164 wrote to memory of 3696	2164	winrar-64-6.21-installer_AmGAP-1.exe	winrar-64-6.21-installer_AmGAP-1.tmp
PID 2164 wrote to memory of 3696	2164	winrar-64-6.21-installer_AmGAP-1.exe	winrar-64-6.21-installer_AmGAP-1.tmp
PID 3696 wrote to memory of 2800	3696	winrar-64-6.21-installer_AmGAP-1.tmp	component0.exe
PID 3696 wrote to memory of 2800	3696	winrar-64-6.21-installer_AmGAP-1.tmp	component0.exe
PID 3696 wrote to memory of 2220	3696	winrar-64-6.21-installer_AmGAP-1.tmp	saBSI.exe
PID 3696 wrote to memory of 2220	3696	winrar-64-6.21-installer_AmGAP-1.tmp	saBSI.exe
PID 3696 wrote to memory of 2220	3696	winrar-64-6.21-installer_AmGAP-1.tmp	saBSI.exe
PID 2800 wrote to memory of 4836	2800	component0.exe	epli0zih.exe
PID 2800 wrote to memory of 4836	2800	component0.exe	epli0zih.exe
PID 2800 wrote to memory of 4836	2800	component0.exe	epli0zih.exe
PID 4836 wrote to memory of 804	4836	epli0zih.exe	UnifiedStub-installer.exe
PID 4836 wrote to memory of 804	4836	epli0zih.exe	UnifiedStub-installer.exe
PID 804 wrote to memory of 4896	804	UnifiedStub-installer.exe	rsSyncSvc.exe
PID 804 wrote to memory of 4896	804	UnifiedStub-installer.exe	rsSyncSvc.exe
PID 2220 wrote to memory of 4176	2220	saBSI.exe	installer.exe
PID 2220 wrote to memory of 4176	2220	saBSI.exe	installer.exe
PID 4176 wrote to memory of 872	4176	installer.exe	installer.exe
PID 4176 wrote to memory of 872	4176	installer.exe	installer.exe
PID 872 wrote to memory of 3632	872	installer.exe	regsvr32.exe
PID 872 wrote to memory of 3632	872	installer.exe	regsvr32.exe
PID 3632 wrote to memory of 5020	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 5020	3632	regsvr32.exe	regsvr32.exe
PID 3632 wrote to memory of 5020	3632	regsvr32.exe	regsvr32.exe
PID 872 wrote to memory of 1888	872	installer.exe	regsvr32.exe
PID 872 wrote to memory of 1888	872	installer.exe	regsvr32.exe
PID 6104 wrote to memory of 4264	6104	ServiceHost.exe	UIHost.exe
PID 6104 wrote to memory of 4264	6104	ServiceHost.exe	UIHost.exe
PID 3696 wrote to memory of 5876	3696	winrar-64-6.21-installer_AmGAP-1.tmp	msedge.exe
PID 3696 wrote to memory of 5876	3696	winrar-64-6.21-installer_AmGAP-1.tmp	msedge.exe
PID 5876 wrote to memory of 5912	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 5912	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe
PID 5876 wrote to memory of 1376	5876	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\winrar-64-6.21-installer_AmGAP-1.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-64-6.21-installer_AmGAP-1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\is-M1U8K.tmp\winrar-64-6.21-installer_AmGAP-1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M1U8K.tmp\winrar-64-6.21-installer_AmGAP-1.tmp" /SL5="$40222,879088,832512,C:\Users\Admin\AppData\Local\Temp\winrar-64-6.21-installer_AmGAP-1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component0.exe
"C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component0.exe" -ip:"dui=66fe4e29-79d4-4cb9-9cf5-50b32d670a91&dit=20240701135952&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=58f9&a=100&b=&se=true" -i
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\epli0zih.exe
"C:\Users\Admin\AppData\Local\Temp\epli0zih.exe" /silent
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\UnifiedStub-installer.exe
.\UnifiedStub-installer.exe /silent
5⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
6⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
6⤵
- Adds Run key to start application
PID:6976

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
7⤵
- Checks processor information in registry
PID:7360

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
8⤵
PID:7536

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
6⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:7728

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:7028

C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\installer.exe
"C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176

C:\Program Files\McAfee\Temp2115385406\installer.exe
"C:\Program Files\McAfee\Temp2115385406\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
5⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
6⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
7⤵
- Loads dropped DLL
- Modifies registry class
PID:5020

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dl5.filehippo.com/a87/295/d3ed24385c8926582576aa4ec86bc92ee9/winrar-x64-621.exe?Expires=1686119911&Signature=cb2fbcdbdf16fc918a4d00415eb1bb5f71f7bd3c&url=https://filehippo.com/download_winrar-64/&Filename=winrar-x64-621.exe
3⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff9c1e73cb8,0x7ff9c1e73cc8,0x7ff9c1e73cd8
4⤵
PID:5912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
4⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
4⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
4⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
4⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
4⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
4⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
4⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
4⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
4⤵
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
4⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
4⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
4⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
4⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
4⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7224 /prefetch:8
4⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
4⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
4⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
4⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
4⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
4⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
4⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
4⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
4⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
4⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
4⤵
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
4⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
4⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
4⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
4⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
4⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
4⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
4⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
4⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1
4⤵
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1
4⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8652 /prefetch:1
4⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1944 /prefetch:8
4⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:1
4⤵
PID:7060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9308 /prefetch:1
4⤵
PID:7096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4596 /prefetch:2
4⤵
PID:6400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
4⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9099446668331830744,3981697758303165546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
4⤵
PID:6948

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6104

C:\Program Files\McAfee\WebAdvisor\UIHost.exe
"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5472

C:\Program Files\McAfee\WebAdvisor\updater.exe
"C:\Program Files\McAfee\WebAdvisor\updater.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
2⤵
PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC
1⤵
PID:6196

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7648

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7476

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp2115385406\analyticsmanager.cab
Filesize
1.8MB

MD5
e57aed2c3515e4200f7e126f8c4da270

SHA1
ca85de1ff2209e960898e5522b5ceb9c93fecbd1

SHA256
1bd7b17a6d78812b991b44abd82aff0d1b789a29b63b9b1fc20947e7c86bc8d9

SHA512
94d134daa06a4470906d9ca31489c542b468f19341df714278ecdf6fe6a022229944550a78580b0d8b6d7bdee65a4b631ed690de8647fdea76382db66f6f8e91

Download Submit
C:\Program Files\McAfee\Temp2115385406\analyticstelemetry.cab
Filesize
59KB

MD5
a4e9c8ea60c8dc5ddd031684e2fa2b0f

SHA1
e96f54fbe1ba93f8dee5c9c762707d6062e40250

SHA256
ab7bbd9538e10bc38de331b72d4255e17b0076d2c7ea1a08a3083355477f92b6

SHA512
a3f2e92b3e46e40042e0b581612a32a97cdfe47214db916695fa3fb2f33f2450e683d5d945bcbae00107e615698c50e58d58afba9de33f9f369f4f9a4cb20b86

Download Submit
C:\Program Files\McAfee\Temp2115385406\browserhost.cab
Filesize
1.2MB

MD5
00f2d550a714ad541e1a11f99e066011

SHA1
7596fc563482c60d3c640cd7a94b9802548efc19

SHA256
31c4a80c292d28dd2712d11819b4c9b525774ca1900b1e1ae698e17a8afb33e8

SHA512
7959e8dd3992b98a95600f22ab93169c9f31093418e07502804a30f116347c6af16988733d1f53eae0f3f2b4f152f15158b1603923a2103f4de2003095057bba

Download Submit
C:\Program Files\McAfee\Temp2115385406\browserplugin.cab
Filesize
4.9MB

MD5
a69c0bf266c2f9e29847a0a4083eb959

SHA1
3088c3121b40132f46400a556ef10cdbc2bc4e20

SHA256
29feab1275621175f8647f4d3a6cf8f57b6166b50f22ca120dd26c10595dad36

SHA512
6f869407a57fa3a704f7938412fa262884c5592f7aebcf96bfae768c837780e1a45a8a359a2b6c8067f451c4c8d48a13d5017219618ec4b4581df140a08b6829

Download Submit
C:\Program Files\McAfee\Temp2115385406\downloadscan.cab
Filesize
2.2MB

MD5
e43c59a9951624d52be8403c660798fb

SHA1
56d267b5c385e3b7ba2d7018087c99bb8996ab28

SHA256
90d4e915b2e173efbacca232b1706bf06adf71c6d4019d75e80dc31917a8cf1b

SHA512
efaf271e5655e0941bc8ca04fd28695126ca53de02778f0b6bd9c27b81bc49921de6f096dd8722259ef2ba011d6f327f13486ce62462c4388da47ac88e36a874

Download Submit
C:\Program Files\McAfee\Temp2115385406\eventmanager.cab
Filesize
1.5MB

MD5
13a4bada2aa7a4778cb5b4850a1dc721

SHA1
49a9ea7e78fab850845d19c1809c0877a0266c33

SHA256
fed072050720a71ae72629d0a0344880e57e39d283a10f9888d6b048e4109acd

SHA512
44a2ea95bdbb1d930c23728e9c0042304051a469c90ec0a424bcdc55e2b230935b8382ba4f175f2190ae4fbd8fb7834f6aaf197fe77852c888d26ae5c70b224a

Download Submit
C:\Program Files\McAfee\Temp2115385406\installer.exe
Filesize
2.9MB

MD5
3e8dd9eaa2e5ec6f19232526ab93f678

SHA1
dc34c67784b5173d8e3c6eb33512b06fa886f5bb

SHA256
78a11faf56148e1cdf2e28d18eed54675daa39edae3b8dcc20e539e231a7760e

SHA512
242ebe5da1877c07ac377f7b4e2cbc0ebdc882c735a362a573ba8886b003eeb1a0c5aa7f186997e06e7c9b5bc3b51f82ccf49386e0f7b1f7017ea5d767995847

Download Submit
C:\Program Files\McAfee\Temp2115385406\l10n.cab
Filesize
273KB

MD5
02500487a40a5ff6a8eb5e4a30e3c93b

SHA1
2c82524477e9b58d73bca3b02e71376b0aad4f17

SHA256
0f5003de34bd67569cca10ee9de83a0a75bdc3d64e79ddc399b3e84d4ec6b7d9

SHA512
2b7903cc4d5de4e28a30446fe4bd1ad3b4d29f96b6defc6483830e085480152c029b3f8455db132e3ae29f7b0034df87c768bc83b4efb1bdb740c3c066319d16

Download Submit
C:\Program Files\McAfee\Temp2115385406\logicmodule.cab
Filesize
1.5MB

MD5
3d790f82b0a9ba96750ba3f2eed588f1

SHA1
efc833a1fc2ba48890da31271321989fbf2e4956

SHA256
d9edad64dbf02aa76140014e48247bba79f8e5542b245ede3885d3c59de27a52

SHA512
01784bc0f4ec96cadbfda09a9773242b0cf1fea533dc04c038ebf15a74ff12f1e63675b469c32879c0ca48e5b49590bfc42a884b15540c019802450d0ab515ca

Download Submit
C:\Program Files\McAfee\Temp2115385406\logicscripts.cab
Filesize
62KB

MD5
f8dfc0755ad1b107bec5867afa3c8516

SHA1
2cc056e90415d5e5a7a77c3af2db13fb97a4e964

SHA256
a2665c0828dad9ca5b3bed154dd0992b2b563bd03e0b033babb8fd151bd20293

SHA512
803b9de1ebf8801f9ede1b846604d8f588dd12c2aa849b3371087e4fc9da3bea763174f1f929084db9a15892959e3be1bc10f3082ddf798aab2d5f63d7381772

Download Submit
C:\Program Files\McAfee\Temp2115385406\lookupmanager.cab
Filesize
985KB

MD5
1815b59997e12005efef2bbebbac4711

SHA1
c1696256a2f31e0e6412257cecc9fd4f9661eef9

SHA256
02b2f4b30255f43eea3b850908e95c9d03055e7c5908cf0b4aa23668fa72c217

SHA512
8a37d87947ae595dfa7938d9c9c82e8f62a280ac067e6cdda027064016acc26ec0ca6f6c17f952450e320790692102dc8329827ba454daf9f26711df71b3e114

Download Submit
C:\Program Files\McAfee\Temp2115385406\mfw-mwb.cab
Filesize
31KB

MD5
6d7a663d317a09a4905264b4c4b2ef6e

SHA1
18d8baab317f9ff011d738883e7e8a75c8b53b06

SHA256
4afc1510fba158b3ff52c9a81dc47f9874decac328edd1ac9e319044e6ddb56c

SHA512
52a191c5f4a8f940b1f586745a098ff92a1a53d7aa3bd11223da1ed1415444b89dcccb648a34392eb19664389ab538229025af78eb9c51eb6b991c42a14816f9

Download Submit
C:\Program Files\McAfee\Temp2115385406\mfw-nps.cab
Filesize
33KB

MD5
81b5d7c448a71161f7d38779a0218d56

SHA1
2ad39c5872799aab2e13d9362cae3d4f9b44874b

SHA256
25c3fc24abc851396de0ff45c373dad3717d739138dc190c54b70d0212b49592

SHA512
d80ae883cfcafcbfac18a06bde160d8f4539c829a18b768d99ed004d065ae314363cf6cc895b2fbf9abc6532e2c0b00cf05ef80cda779a733ec6046a08f5d437

Download Submit
C:\Program Files\McAfee\Temp2115385406\mfw-webadvisor.cab
Filesize
943KB

MD5
2e6ab957aa1df44639ed2017eb53a765

SHA1
361722b1874e25515e353fa761795028a0c7442e

SHA256
9d6970c23cb265991327171b524c43ea064b0758e196e5789a8c04a3f2f77b64

SHA512
333a7d49a579fd923d20565b8bb0de16cfd5bb257e3e471fe66294f5950eeaa3945e2da115aca7809ac92215d8080aa7a200db20e63517803eaed80f0fc1f1a7

Download Submit
C:\Program Files\McAfee\Temp2115385406\mfw.cab
Filesize
311KB

MD5
927a125fff98e88ecc0bbc0b5f10dba5

SHA1
9c7840d27cd6d8b456f53c58ae52a14aff5317b0

SHA256
8946eb981db9d9b91ff12b1d0338288a8c48f6ec8ca6040935fa1e566f93a007

SHA512
7e247bcb23e413e7fb6e8efed4a1c191b33f526707b4f031fd3326acf27245f02141039be3dd1fd5ed9c8bd86273dbf13c46254ee2a595358b8a6c8930185b14

Download Submit
C:\Program Files\McAfee\Temp2115385406\resourcedll.cab
Filesize
50KB

MD5
1d167e4ddd9bad8d638d8972c607cbaf

SHA1
b49e42f45a3af3807e32409a6a3ef0603aa70e6e

SHA256
d20994576a1ca9c8508f3176289e24a143c913193b5d5616dd0d46e320965e9c

SHA512
c19f30cacb16872c15f7104bc2df155e79b86431473be983a13f6d72fee7d43c4a95b1bcd08c394f6ff098c53a7455a7c8277efcbd7749a7397acd6e68eda15b

Download Submit
C:\Program Files\McAfee\Temp2115385406\servicehost.cab
Filesize
316KB

MD5
7730bdc3643a3741cbfe531834a80e7f

SHA1
b0014e646504b028cd12ec2cfdbb984b9fdb85f6

SHA256
ef553b4dc2dbb0f858a0b5ba3cfa799b2c0f920d9a9cfbdb262feafa31b7a068

SHA512
c7154ffd5b6cc1250dedb5ad14a4cfc12eb6154a23fdf3d2f075c17512c96c7c61317427b6f54137aeeb2d27f594c5f0fded565c3a1260a2416826e9cd39d48a

Download Submit
C:\Program Files\McAfee\Temp2115385406\settingmanager.cab
Filesize
787KB

MD5
ca69ea788eaefdac784d91c04b8d8c9d

SHA1
1830cecbaea9e558753540b0cfac78a4f323e619

SHA256
9858761d099cca8faae725d6ec509a165240c904f7f0800a23e0e7567ebc3910

SHA512
5fe4973f3627bce4cc1d323a8dc3cda81419a406650abe40830bd5fad0c0c5fae32a22e4c226e8c6df56bc3f12301459783e162da28c1fdb463c8ac03bd01339

Download Submit
C:\Program Files\McAfee\Temp2115385406\taskmanager.cab
Filesize
1.2MB

MD5
849e19fee07adec045d9ed321c50ccb8

SHA1
72ad513a60b29213ed35470c3a92ddc0f950efd1

SHA256
32df02ca872cbb2b641bd96e71d3c3ee90a45133f1ac100407bb7bf694d3d6bf

SHA512
a603dffce8c73277bf63002cde674a4d16c3726e191c80e04961209f3c91f0c75b55701b95749a15e283c345dc8f62968a2c311227e0a89a9fa01f23b89edd48

Download Submit
C:\Program Files\McAfee\Temp2115385406\telemetry.cab
Filesize
89KB

MD5
cd605472692533e9cd0a0c0762828f7b

SHA1
3273dcb4f4f8723d2ac92b1e06898cc75f41b538

SHA256
f507a042d55627f9bbd40b9a7703ad00cfd8daa551db16cbce8d82c9e7972706

SHA512
4685e05a9bd8aaaa38b477f4caa37aee3d4d5710e5b8da42ac6920530befc2694c33ef1ca9bdb468374d681dc529b4b6f2f9c388752719911a49310b664fcd0b

Download Submit
C:\Program Files\McAfee\Temp2115385406\uihost.cab
Filesize
312KB

MD5
3459c4ae57c1a0787469724659c4f799

SHA1
eaf34468ef6ec06bd36947337ea3e2a248be3205

SHA256
92e24c4aa7f6dc777a08fa33be02e8ffe2212de80a7f395dfe43b4004d1664f4

SHA512
bf2b4b3509fe6b74f2e28e308b9325960696aa5d738bb37a44cc63de7d6690b775cc657e4f60852997d66256817b2b7009bbcb7f681f09f6e929365a71a4db8f

Download Submit
C:\Program Files\McAfee\Temp2115385406\uimanager.cab
Filesize
1.7MB

MD5
b0c0fbf6381bc6401c66fdfef10ed839

SHA1
009155f5a5495c8b259224e133398ed8e13b81de

SHA256
698c9e4c1811c4e00d325608c60154a74b069681aa8a7fa03be5f3dcbd545651

SHA512
c3d30f8709ce5be5156de20c3e4cb41089bbdb0a3889fc23df2e33325834f4f41256e269cd2eb174bb7b8cc469a482e04334932ca45d4bc8d1a9332dca93bc81

Download Submit
C:\Program Files\McAfee\Temp2115385406\uninstaller.cab
Filesize
971KB

MD5
b62c9a02390c127fab856d6840349431

SHA1
995f256696dd9af997570461c7a3eb03fe7130f0

SHA256
644e25efd1a863ebb5c5eba9370d1d3c1f7818ddc3b08e83436aa9d5c0ef3cc6

SHA512
4dae113507e87237513722259fb267bbfd640fe7d0bb59d38137a4541e82f265edccb8b6853976d0588cb3ad2bb39ac92acc443db62d52d4f10854a210382e62

Download Submit
C:\Program Files\McAfee\Temp2115385406\updater.cab
Filesize
950KB

MD5
8a98fe616623525eeea2e900bdcc059a

SHA1
6ace688d538a5c1441d9733c81dfb09590010d93

SHA256
7eeff73f46e9528de0399f44d6f97a7aaca54081f04be353dae44e2a0e0ff518

SHA512
887fefd667205e2258f3c41374b6ba2bf0435b01a04430e36360b6ece2fc2f188c0bde0bb7b1632b1d5a5bdfb7a151ce7f2942d566eae07693d8a0e350a2291b

Download Submit
C:\Program Files\McAfee\Temp2115385406\wataskmanager.cab
Filesize
2.8MB

MD5
5bbe21ff2e236e600aa4c255fd9c3340

SHA1
9f776eb6840bba720f0d1ef5fa21a8f17b7e7e84

SHA256
a2f6a9775170118a97f4f4c276bf465d31b901d570aa6200f5bad8a0c8527971

SHA512
227d47946273b057eb3bb9ca11c70d50a96e7ebcef7b57d51fd786054761cbe0d3820448f4d5642b7c0becc0d64b5b301c1f9d3f466a17f48eb5cb610d5e3d18

Download Submit
C:\Program Files\McAfee\Temp2115385406\webadvisor.cab
Filesize
22KB

MD5
790a6db4ba45374e2642b628bf0641ad

SHA1
63a88cba16b1dd52f457b685d03c3f9013ec8502

SHA256
264db0041d449f6b6ea576342a6add2a1d9fa83f10f2dda379ff7f62bd59b31a

SHA512
d180facd77529a0720519941476d905b72992a072c289bca661c92015040bedaa2bc8381b10e18ce794d3f7144441c64c90180398f655a6a0c78066f6d7136e9

Download Submit
C:\Program Files\McAfee\Temp2115385406\wssdep.cab
Filesize
588KB

MD5
3a0c760c08eaa901c6266d803dc0f5e8

SHA1
44c141f5f88161609b64ecda3b9001431f1a807f

SHA256
c6c829c6a7d47e7d595b3775160c3c0f144104d397e141f3f58b40b79b9c9989

SHA512
469fa37999e427bbd3ea9011069c08172f763ea7fdc7775b52861ac0e8acb2836618a2f3fd3c13983feb6a1cb5cadb097ee86dc4b8d8bf58b281c8233713d17b

Download Submit
C:\Program Files\McAfee\WebAdvisor\AnalyticsManager.dll
Filesize
5.1MB

MD5
e8339ae6c8ab77fbc42046f093bf8c4a

SHA1
2b38d7c5ec85905dfce3b16a3ed5683f1c516779

SHA256
132e6ee18c86b46d624056af8f022e08e4cb6b602122e1d60d5861a0db685433

SHA512
12184863ee319eee9512ea489b5963dd218e836f7914b04e91e68358812842e1a4ca3584aa8ca8a598b862bf4e6a91c5d3848567fea17c4f230c7092a7d14f3a

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab
Filesize
73KB

MD5
582cb55f1d5488c19de8a02e5c22e1b1

SHA1
107898c4b33c797fbdeaccf0d4c73c18e30fe81a

SHA256
7740054020dd617171342f29863839b1ab9e7666ea5e5467039f30306bd409b1

SHA512
ca3abfb0ba9b34bd006dc9576b1d56294ccf2b3086483277a15e6b96ed7ed206a858acfa618d6188f76214d86b2f2f40b43f2f10b3026dc3e5bcbe223186357c

Download Submit
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
Filesize
858KB

MD5
48678dec5022d43cfa7c028daae53570

SHA1
9237afd2402934c7718d5020c8e0bed7bce02147

SHA256
5933ba5d54d91e9d12f330b1e56d346ac91a70f64dfa2549b2058cfaa52751e1

SHA512
8a1b54da6372482f626c0515af8e396159046716eab093d094e5adf2935be1f9c8d4735b40dacafb97f42981ac4cdbf921bea242b39e56c13bd1d7ad027aa0ed

Download Submit
C:\Program Files\McAfee\WebAdvisor\SettingManager.dll
Filesize
1.9MB

MD5
96c162ff0f6091a49d78bc14add9edac

SHA1
b0b03bc30e1957cc9b70f4ddf3d2b35874e53afc

SHA256
b5ee5a1a8dfe59df5354df31719a4bf641c0c686555b8efdc709930fdd6eb9b1

SHA512
c04b494901ef6609b2f3deb64f51e3a7b6a22669b96656eaacab1bdb56c0c1d56f33f929ef078e7984125fe0dc9a5158e89ffbcd5517f81930873dde493e7e43

Download Submit
C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\events\AnalyticsTelemetryHandler.luc
Filesize
2KB

MD5
7c9319e20641287f184bfaca45c51b2d

SHA1
2fc1371a8cede51006f70dc50e301a53d305636a

SHA256
4208120bb89f063070408339c6dda29d1744ec79ecb49d73b81726e293794955

SHA512
e112a00aa69a1bb9d16f8645532f7db590210096195113fc98d7dba8caf81c03260d4126d74f124ddc37b3b6da162b568e58b045c51a75dfebaff124541e5b2a

Download Submit
C:\Program Files\McAfee\WebAdvisor\mfw\core\class.luc
Filesize
656B

MD5
5613b4e711fac995473340e4e66e78a1

SHA1
8a00153a62a948bac687a67b696517a0ea1df456

SHA256
ca35f3eef8321e17339e1ee76f09da0334ac0b48bd988e8a0228041ae8895aac

SHA512
0c63025a8e7b0448e5ef9c902a2478f760bef76336668798f606c175bd04af5159e5eb5472f66525bfd9005ebbb19cc16d3a0693766a091c90cfe80063037f69

Download Submit
C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll
Filesize
646KB

MD5
141328a56946a190d7e9e522c1d40b66

SHA1
49d9ff35fc943183eefe3e5be4128d8a13c170fc

SHA256
9c04ccd4667e319eca6909b3da718a321a38eba911378af9e620becb2c71d03e

SHA512
04a0e60ef29d6c755e80adc68f27334d064e44f83017bb8b45d3d2bb8ad095464d202a73e3ef521611fb4cc917c522c340bbb7d02f8c3dcd3bcb0396e33d6035

Download Submit
C:\Program Files\McAfee\WebAdvisor\x64\wssdep.dll
Filesize
803KB

MD5
5f71f3a80e21ecdf38a25093e2b288c6

SHA1
21c1b93fa6dbca563ddc690bbe99541cebfed6ac

SHA256
5e3117a832e193cf2d45e5ea6034466bd73239f6b9aa03d44759c4be045ff571

SHA512
3952fddf3b8fa5d8baac9598756db598d8d6f678a90e2dfee4144a05eb93e76998d4d6ce2162e57b65833bad8c687762f7f20f0f5dfe336c7de5fe0640bd52eb

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll
Filesize
335KB

MD5
5e2b4c627d4afac7b138fb229f3ba8cf

SHA1
7b8b27bfcbc2603f7e10474d3895e6dc821992c0

SHA256
b3df61de305444755aa5c79b4a88f10d5474980db8da0d674856ba158eb1c3b6

SHA512
325d151197bce5ba7a9ba76cdaaf5f9f5a3fc546542e78dc2b3b35337654a65ee2d19d20112d82b496104f148acb6b25e8c3d27a567b5eb6f0b2aa38aa4093ed

Download Submit
C:\Program Files\ReasonLabs\EPP\elam\rsElam.sys
Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll
Filesize
1.1MB

MD5
5761d96590d91fa336c068269a7dbd93

SHA1
5a1b0a8b4f255680a7549b2b27c28dd65a5a3e47

SHA256
7dc02294611987dcffef0d1ce99ff316926901fc872099cbea2fb76997e29f65

SHA512
f8f5743547c96aeb579b7786fc9af64102bef3cf46a6df270cccf5d51a48467d9547732ff49f8d5258e7f28a5bf2d234d3344c2862a5a67f5054de81ec6f4ea2

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll
Filesize
352KB

MD5
b3b1147d7bcff3698ed64b9ca31dd75d

SHA1
cfcfecdfef6103e606e6559920b0164e6ddec856

SHA256
1f260a7cf65d80332a58a16b713570054e83d2d842b17ca76262dedef69922f8

SHA512
8638c0c96ed95c6ce5b00444b7287b0017b2ad1c1aab874b9caa9210fcaf4f7e7a3aac6b261e6e2686b66bbb02d6a68827541bf7a78a922d057a0c0846884614

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config
Filesize
5KB

MD5
3149ca79d09c362307bed37960f0fd04

SHA1
f5f43f511ef581dc7b88ed194bb8e86e42f45bd3

SHA256
5481ccc72cad44173cdfbf746a701bb79e2b75927ef71aee1226e07e1265d31b

SHA512
d7c519a58bdefd24bcc26ec681b27a72a0aabbf4135d8e47a493abe1e4affd7cb5740b132d445aa9ecf66247de7406d5974557ae671d5977e40d877167b94a70

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog
Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe
Filesize
2.2MB

MD5
09e2401f12f54289c04af17d90f0798f

SHA1
2f95c7a2684338f5fc66b0c20e148b2a9938b154

SHA256
3efd3ea030a60cf4c5e0c6b93fdd24f1743e56cecd3a30329375ff80ef47091d

SHA512
8337b3f7bb29f546eaefe9adb8b7674007176c0f6d429d9b51df7eacf41b09042359d028ded0c934f71ce11e308252b86846027e10e07529327a451cfe7c2206

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
1KB

MD5
da700aaf42642cbbd67cc460cd38b258

SHA1
11d748cc2df94d4e374507519e7bb57a8d283675

SHA256
2fc035a9b22f69e7ccd395838489a7e1eaf9f17bc3af8941a57cccb7f29d88b8

SHA512
544ff918d82ffa2f453aa5e48948cca1bb45c6d35534c031d6f1750310e4418f47c112462f28c33a92dc941f668317c7081f2bac85ffc63aeffdd876f7d7e46d

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
ab20cbf2319487113235d069f02962c2

SHA1
881b4e171e0e1d27c8cf5827aa6efd621b68f2cb

SHA256
12731cdc88f14ec483cac24c106cb8c2b6bc55ee20bdb078b60221586242e80b

SHA512
53abd107e962949ac618efce0982dfe2d3416005440f6c9f5a84df033c8792c51f2577c3f4fb63fab36289025b1ce7de014aa5f27fd5cbacf05046c8a2452e16

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
74c49e9e0143efabe4fb9db799174a6e

SHA1
a49b1ed4938e38478257cfb132460ebc77d978ec

SHA256
96d1e9f65a8d595dfaeaba2ad9220934390113f306952dbf1cc311a470ef9fab

SHA512
24a87cecc12cd9d6c9879ef47515211c4c6e1e34092407441e0710a94c2f90dec226dc3ebae9d6fbf6a39836b91c63bcadcbf3dafa190b75145410ae9df2d721

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt
Filesize
4KB

MD5
6b1b35e682737b6bba3f6dd05bacdd1e

SHA1
71bac8184ec112a3e6615494b15f4ad459e09588

SHA256
b5af35d507a0f5d219179abec110bb25f712c9b55233daac49268573deb12211

SHA512
a9de42fe8ad5fe63ad163df396786ce29c4fc9662c230e40c61cbb83d9a36bea9531dab0a615d6284b18a77f1b402e94f88f3f0bda22a58d239c2cf0f258b675

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
3KB

MD5
4a760035c6919f3484ffd6a9796f0564

SHA1
0beca78a343a7a7875ccd3eeb0cfa82e9f1baef1

SHA256
7c442f32f4ece8b02b406e01652a9eaa0d30cc03a132a3ef2ee0ecaaa59c1538

SHA512
db78f256e26aeabb0d2322f0fa07c549fd62936e3037e128d9896589c0bb729b513942eacb4c2498eb949c7fa63cf99cc2aa817b618f470cceacba3e05c72b18

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt
Filesize
4KB

MD5
d657b7b4d7b42656a80086105313eeaf

SHA1
6c35d560a6c7fe070c5cc4f0518d3f29b46f79d0

SHA256
696515df1bcbc80a6e4d3bfcd211adf903d00981c9acaa246139440392b701e0

SHA512
3501d7d0897589b710bd20fe65f52b35d87f9c2183483ae919dc5c0f75ff7aa7e582d6c569ad8aac57e3c496b1cfa3d3813cdd6d325c58fd2f45c69e318dbbee

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt
Filesize
2KB

MD5
5ff9b52f8526245b486b69763a279061

SHA1
9af50cb91610d8253869a90afa3222cb383b25c6

SHA256
133c22241096402a502da0ef3487bec55144f8b35a4c8f167be53926ee3faf0c

SHA512
e6a1f42059a125410e9d4ae9ec1fdb614b6db19c721138b66f5f113a9569666ef978bd204e973b947b910fbad45f5a3549f8b2f33e3becf115a4446a506d14b2

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt
Filesize
1KB

MD5
510011456c88c2705f792e6cc40ea393

SHA1
21efff3042ba6c57685140c602ae1757c70d6485

SHA256
2edfaea4aec2d689a320667ffb7adbc3c5bbded078f00d989ec9ad54bfdae511

SHA512
2a8183dfd0364b68420b6d5cb70e8d24482699ee989ce954a4c43060eac459e5ce298ccadce24f23a58b398cc31619f8197b64ac38acfd9462cf2b5ca642c247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0e37650f-3f28-42d9-8d9a-40a465ce50d2.tmp
Filesize
5KB

MD5
1fae728866a87385cacfe6cae3e3992f

SHA1
2b348cf932451335228f5cf8151c680cef0c3c73

SHA256
6b278962455ed5efce52c114a84974b171a5fe85912233844f1a66200ee517f2

SHA512
b1317e7130a42b19e7a5996a4f791293b13e1f509dfa437ead3aa5331779b750c2bb2a38c8d5ea414955fa1aa3ee934416c8fccfa144fd750772668ea2d61c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
62KB

MD5
42d9fcc7172456834d9e05605cfb999f

SHA1
d1df0982a953011482b7cc5e97803a5fae290ba7

SHA256
5029f1471e648ecdf5518199b5d7a6fdcf2dab7b9ba8367331b0836de3064575

SHA512
5fc471dfd6cf0516739b40db211b4f1e0d3e27e7b53eb1e0c8d34f7ddf5d09ff520bd4c3b7baca993857fd462f184621391fed363a548bc7b50eee3b7ef6ade8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
31KB

MD5
60140bc834da90837a9a4d1530484677

SHA1
d99868b0693b332681b4db7927f3f11b3ed37607

SHA256
29c0ba2fb11f5bbedff938e0d0a97da59f725cd153bc0c04f052419e779f134e

SHA512
448ddc49ab5128dfc0dc91ebe388d447e748848cd2f7dc15fe1fd0380a5436cc9872c32606d9d161d3648b20bff5eda0e48e8fb77c9293f3c0924ae89589eb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019
Filesize
19KB

MD5
bb30ea3b46964f49ba85f475efd1fb6f

SHA1
1bb4aae7781af8b933e1dd4dee56879a3ef92d38

SHA256
7a5bfdc2463dfde6b169ca4555ce9f5a0fb21c15c3ac807967590df27dd800e6

SHA512
bc52e8de4712d416aebf1d403d6ee8dcb6386a93dfc6727613af487f73de69db90913a9e9781660d8dec121d720ceec9c84b260c76f0f6f565ae80967eee7474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c
Filesize
1024KB

MD5
281da940ca5aacd93fed9ec9cfbeb4df

SHA1
5fa3859b3040451804948424ea18c22b489b0f9b

SHA256
0f5127bd4fd2f9d7b7ecdf918db8f89047c2780eed1734e3fb18adfde1df29fa

SHA512
ec7aa6a0827670c609d81bab434c0eaaf682685ef8c6b11c458cc85aa68e805de2867d37d408d0ce88cf77780866273083a23047fdc84342c3d1e3317c713415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d
Filesize
1024KB

MD5
dd670ecf476e8b8b2d7c5ea4a672daf6

SHA1
6f50fd8e933a28790057743582876462fe60082a

SHA256
87a241d72d322f416f038921f4d8bda6e3a4b0ab3ef951c54724a2959ad0589c

SHA512
527e61f8c804b7f8baf3e3958792c7d8e1640f41ab88d42d7db44a40c5f1d42e482e82712c9557ffb4295d82aaf97f29ea12aee67ba091bb155f282ce2b773e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f
Filesize
215KB

MD5
94d4e38a0118439d2196d941eb81a763

SHA1
4340dfbe70df254d4e4d18b36033c5cd9e477b98

SHA256
06dc73ae3c97b8a5ac3df482458ac76254edc81e0b5d9ce1613cc14eae474257

SHA512
c1e56759d73736e37341b7d8bbf26abee5f94db8f7d69c52a99851b92d40cc5cd44d9a0b653d6338af5e3553b354ef476b6c28ff0e50d48a48cfda2d7ac18690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041
Filesize
1024KB

MD5
138d2965366e5b17a1f6c0428f5693b1

SHA1
7fd3caefc2843e7b491b295de95e7085d6e390f4

SHA256
64ee451c9d175e49545918fe8ad1b7052cf83047cd6e01f9edffab4fbff3d3e7

SHA512
0ecc36d3e877940af6e4fa344659d707b3ca481beaa3005416ea7645f8c1042948e45b7d9612c0f7e483ccb79d3162cf2efaa6bc83c20f60b44e05d3a7762f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042
Filesize
1024KB

MD5
ab4be54bce187983b97900c9d8d2b1cd

SHA1
6fd209f08f6cce5ddb61f6457333bc59d2d7d7ab

SHA256
42a53af153c590b2c96da68c6ab94f12b2caf2e473486f9be0eae09470376fe2

SHA512
4a456e8bc065f8e3b7b007a0fcdc7c73dffea0a0be1430b8c08b14f3614216b4f64074d3a17cb57e85d651908c9185b9951dd7e05826f4f446c1db243c9e7d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043
Filesize
1024KB

MD5
d4b4d4740c9ce3630887c437825d73cf

SHA1
a073844a52d46954c37cf65666e952f4d46d8c8a

SHA256
86e83edf42976f29985933f8cac9ff5ad64d6a1674a82d566e4d0535f2b160a3

SHA512
ae96cff7ebb89581ee339a0bd028d78bf848d757919eb7fca2cbb3df950adf36c29c74ecb556996b1afa73fb0325d1ff8b8e23ab58159a63e4cb2f6eaf8d0a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044
Filesize
1024KB

MD5
fa6bacb36fe1e82786c5adafc28e79cf

SHA1
e9efce4c564fbc158e7a2e1a24c238082df9302d

SHA256
c2be4ca19b4b5f489f721956699d938c4de844d3b3310af9d016a8562615d029

SHA512
f89d459f187edf8717132e8e468ea845d31cb2dcf018e47051a8937c3a63522638537a2f5bc7a9f57d61f66c1e8ef2dbd17f08e72aa72874640a63356dc45e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045
Filesize
1024KB

MD5
c6e60b407c54916833c3ed704d864d5b

SHA1
44de4c25be1e06d1c0e9a7ee04989a3385f46862

SHA256
37c2cb84755d036da56a1549c509e9d2aec472562060048df1ad2e2a243f1d5f

SHA512
a6b01c1beb28f85c4853ae9f82de2bbcf5bcafeb62b635380265bb2f000c01e7799bb3c234b18d95c7b2ca6f6dfa2cb767b312f0e147a98cecb02fefaa51c0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b
Filesize
50KB

MD5
900e217361ce1f52ca334eafa055ede9

SHA1
a744d334b154b6aefaccf685526156cdf3f82e7f

SHA256
6e50c78089d18760870450e7e82bdaf56c75ef916b4b9e06ea3ee5d74517a9bb

SHA512
90e568da4878070c82c7c0dfbf617ec6524ea61c805bda867dd173ef85d8026618aecb5d38a15e838952a6a77b6326caadede433ecd401a910de760b610033fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c
Filesize
16KB

MD5
1cb357ae9f1541d4e0317f5e1151f03e

SHA1
97d228cb80ad0e3e825a208cba9a22a9b4e72c9d

SHA256
02aee346bf43f006fba08e5e833dc7474b1086bc45a3a512b46b726369d5ada8

SHA512
087ecfd36482a571dbf2fd7bb1ab17186d49d15cf286333b4ac7715cd1f32c4b8abb9b7685fb2f5bef5e182be8464fefa19269a85c32ce418edbec26d5a87f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
695d2ab1e1bb3c4ed49a0a221249c335

SHA1
836687e56fd70d29fe121cfe7c94ecc75c494133

SHA256
6f946984f1ddb5e3f75f08255c2ea26afbbca241c583cfc471185ce846742412

SHA512
e5970f156e322201b9eea21795e5342e8628daef4a60d4002fefcfd53d2ad5fea39ee0980e7cf0de13a8467e4db7f5da0c7334d48698aef7634633acae503007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
1543d932892a6a7a978b91d45524f2f5

SHA1
8806ddbe9fad9e2dae954db48c46d599ec4644e2

SHA256
43f123e08c775e001600e12094b22f644fae23dc0f06aa834cb98984c461e88f

SHA512
87c4a911787748d8db48f6a5d2db3f646210175b52d0a30cf2d2ac8d20a61ed373b3de2842803cd48d887fa3789222f9c403374e8f089182a9abc9ee30bfa77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c09b91567d7cc6ae446303f0e2e6eca9

SHA1
0775c420c80dfac26065187580aff4a845cb6c5c

SHA256
2765a266075a4e7b55b974ec8c77c4a66428a14d895229b7ffe8468f42132d54

SHA512
c748f34990e10420a62ec31e2bd3d8062206e1784dab646b21c45c794d377d6c969b0f20241864e230045c064eb011b5e30550453cbfe4aa21e06cfdc05469a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
8KB

MD5
7e613a5a5c58196e0ee3d6f7d0405daf

SHA1
772b063ba414cf828632b1f2c9fe125fbd74610a

SHA256
fd477f13d2ca8f87faae322ae3888204c31aab9d1a9ee529e5c83fb8cacc7fab

SHA512
2679ed8db1ba152e1e3f691f1a7d0c5c898d33055d0723f6a7ae7644b35cf1426da42df7ea44537cd65afdedca034e85bbdceb3efe248bf1ea7c3e94bb17a3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
9KB

MD5
32b416d560f224eafb6a7cfdc3778816

SHA1
a3e2c815797d152c0ffeb70908f1622f49aae380

SHA256
e3e43acaa478fdaec6628699938c1eb88817dae9c170bca912d14d84baef2724

SHA512
bff147704f659a8f191bca5255b751d7b80da9bb74c1f12b3aaa22668318fc76ccb0b37f0260cbca19e3a0387a4ad6fe99576bd10585018bcc9f171f4304978f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2b6b7b068ecf65ebbc1b8ac5228ebcba

SHA1
7badaace2c6a0c757eb7fb55f6ac59c7b5f3415d

SHA256
e7a5415202986cd6073369b4d85647af5270f5c478f0c7f1c7b760e1d7c52e6a

SHA512
bd676e4925adc41c3fe72c10608e0b041d8569d9078ad7abdc2cc648b8dc55ac034d95817e0eeb2f43af78fc47a4e79b2275cd72ebe2d81904dd490368ea6336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
7b3493c1ca3223be2fc2d50f34453214

SHA1
09faa238c10ab2b33bdcba821ae26f9e4d41e2ee

SHA256
354a6bdc8cb879a687d00a0901a91232aa5242e4db3b467c120cbfd231a9898c

SHA512
4bee351d4bad7593583a7cb2eea25037879a023279b39f2a1b32f8d1a20d7697519718cbfdc97f5f75597eaf3f2339ecc2b22ac5b14e5078585fd3e7ff2d4dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
b8f78520ca09f9a97cad881ba02b9d2e

SHA1
024eda04c6cd5ccbe54dc1311d9ee34746f81852

SHA256
f789041b95b4830d980ca49e2dd10a63399896119c9d6b204f8acd0bebbd275e

SHA512
0230857698f81bb9b49f25011a629ef79071777e57cfff9cc7b94ea0f26b1ad6897aa598a43c65e62e71042c9d99fec66e93b7a454860db7adc4edfc73b648ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
dcccff5cf73588556724ab7ba8107130

SHA1
bc87a3fe2888afbf6e8875a713f4f9376eaf535d

SHA256
b5eb7c6177da862df528e5ec80d64d0be32f2e68c516225b2d7c9087d7fbaa8d

SHA512
c5ffbbf314513396438d23a2852fc790df7518ec98c3af834fdcab679db0dac3ba1c1cabdc725b3310b6bc6b1663edd258c82b2dbe35b2eb20c95497fee72704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
603b52fbd02879799ad7ce4f62f183a1

SHA1
896beefab64abb16012170f59581bacd75eadfab

SHA256
6349d43a85bb0a9890a8c647e40d6843d074722d59cc6c35f560c632ae27851b

SHA512
77c118e82da3fd88d7c1b954e888149a65c3d7d0c84c8d554ef5633770c70f81db4a8d49e6e9dceb2bbbedf7be9d730c66fe21860360f1d6429da3a642f757b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
015ae1d24d2c3c242f247a935171abea

SHA1
3c265b48bb3f9cd02607bf6334432cafcffc0556

SHA256
fdad7414014eefa8fd393b241b08c93e793abc65350f44586f32cb8b2dc9b8cb

SHA512
0fa65c707493bf3b8c0301b0f3564487f1b0625c33f978fbcc9acb4cef5d8381116a68c12ece8fd3e3b9c31d3edddf181736b345561ce47f87779aec89d63c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
d7de4706b3360866d0f8a7221b03259a

SHA1
ad529a8b11a2c751f3121cf184b32b9ad9cd426a

SHA256
2f3ce51239badd79fd50504c4b94bce73dc7090277d435684b7fd2db281d98c4

SHA512
61affd9c9451fa774992529c46c921f1471cf65213172830e7d058b14e223e064e74f68868fb98da0ff91a38c5d3ee9930fa788eee60be5c8c24016566d535d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
4ac75b3e761691b8f665102e3db73484

SHA1
06495b31378130aa57dcbadddc6b65ba5fbdee02

SHA256
96fba3c62f1e56f3cc7e6ee099c70a5fe8f604562a14bccede9558b49e78605b

SHA512
7a34738a68295b083771306065d625f6ddb7cc2253ae1f79fb001f4c0d4a154eba1b36acf01f7235cb486a06599dc115d3a26c79708f605fc541b15fa496ebca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
65bbb857b0e005d4dc3b4d0cf3d91192

SHA1
6d2e41d9b2a3bd721b332bb289e7e7c050117882

SHA256
a66867d6f9bec5e77066c3a80d0bd1f912894f0f26fa07cbb00ba5059688543e

SHA512
f2ca65c6eeb5ba726a6bdbdffb7b05d8d54db750c0e8ee3b9a77e7212f60fbeb0c6eb2a56b4e821bd20490400bfe2ec3572ac2fa6a6546aa6f4baa35884dd935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
a61b074ccfe92f12ae16b0d5785b3693

SHA1
92207608fae6879110a65261024525f1920b602c

SHA256
66e0edd3067f0a171434ca52aa4c1ddd136389f3ba4adf4ba065b2159812ffd7

SHA512
c8fcfb854b980ec0423e6be5377e3af9b717b410499106947c1076b7a7904d89a2241552ccffb47d364ee929bf20977509d39968cd5f17dac0e2291f852326f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
aa774b7aa596141a883d6ad4b3bf5654

SHA1
d74bb2393d7be076c7a12d4c9d3bec7afc3470b2

SHA256
e477cc9d15d6e0ea94d5de78d5dc782f6a508acdd717a8e6bab665c801d22863

SHA512
c657a9d579a1ff55aa486fecb436b19d024d5e2cbcf5617e2bcc409b94ebb07fde5fa124cbd154eec2680058c61dcabb887caacd0262bbf37ce0fba27ed10fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
68f51ee8ed8e12b4c59d82fda519cc5d

SHA1
ea0a69deda34e135a6f7471da67d8e5601e72699

SHA256
2d63ee4b310932899cf31537fe15a440edcb454a0c44ddbca3794542cf614a11

SHA512
6cdbee732e8e8567dd03e879c19225967fec18a595de01f363958bf62db7952b181238642f370a1900acdb8c0978359222e8bd7d891ab13f83e402b92eaa068a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
273988ab1a1bb77faf35b29b307644ce

SHA1
7d681ba803be988f0ce4abaf98c49d642d389f38

SHA256
2f16572e7aee79ec81dc95319d5e9c6d9f7dfbf926888cdb522c4280fc33887e

SHA512
23f70bdc33d264ccb9265d447ddf973cdc87ec23566e82726a27343c2a57c2b67e59d4910a7ee189aefb5c6079a671440131c37ab851fe2cb098b610db15e3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
145b236ceb1b68138292b9a931ceff1a

SHA1
c98918edd30b7b6af2832bf6630f4956e4dee310

SHA256
0bd65eb6397ab13a94fe362bd71f5826dee8a1d1076fdfb06f7d08d0f92c4d37

SHA512
1a8505c34eccef3c090f546e5c9d12e20037199f54b8059f085d13930bc2b215a3c653209cb2e139c70fc96a403e9df68f27bbb681b74b327831dd08b883093c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
db04e0e5297ba06d5035ed78dea41f8c

SHA1
692cf24ef5f12cee5caa1b46beba6caf2bf637d9

SHA256
9832b799c56e1468f50ef7be3e78162aed66dde21daa6d8277367d6179530606

SHA512
31275294e86b4c1bd6833a450df413ef057590e4a6aa2aea333c710cfc9e358fbe9e3b86f2657146503e9656c15f085b6e21089aae0af7d791a99087b4458530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
459e7ee7e98f620343727f9182a8f8bd

SHA1
253e114580e4fd1b04bb9b3bcc36e0c65cf7a7c6

SHA256
a1d554a76015e2f98a6c2e29ae53ef991636f610f0cb17b70a7cf2ffe8704f89

SHA512
d37e46650d94aa5d9622da9f9dad790583ba3d444c85d4a3e9e4c4269e02bc077f2da60fab25b2eda5fd75aa053279c5f6521ea3ebe9cf3f1c6a79b3235071f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
1ce4a16c8a02b4e4d8790b90bba10e1d

SHA1
4bc45e94ce1c490a4dba4f805909a111f29549f3

SHA256
fbb34bea40470490aae72177cfa59a2364d65c7b5ea511e6fa77c67f577a1849

SHA512
3353dec6187a486bd0e9122b9e9fe45906c56b5cd02b3178b54185d07e320517dd1633797d22a50813ef7db1e8164bd1b43437f35ae04896c8b278556dc00f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
2240c82daca0022cf3d128424efa7f6a

SHA1
2420b8867281ea2d2276b63cd5734414127370c2

SHA256
195afdb3e25b5af016532f20cd9c42c200e6d5956ce77ce6ec65187d768acb41

SHA512
3380242bc20f798ef460af1e2704c2cad8c5a3d4ccb51f66b4608a44b12620296bc3edb259b7df07f3c0992a4a442572e65015c96cd05a036c279849edbc2d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58adcf.TMP
Filesize
1KB

MD5
80ff72d319d99594d4b7c27ebc29f964

SHA1
d569066e14a090d0cf28a311efb7a896a1d72b71

SHA256
3b6bc5817c38c0b3e1fe0a29f78e0e63ddee9a2ea735beb1616f6e8d1060932a

SHA512
a14934cc62aa6d233231fdd1c8f370c28eb069e96ddd4afdd16c091165e91264e72a3a83239caec74e07741c58322bd782a2e6256ecb788cea7049573038865f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ab76ecc1-146b-4f12-b08a-add39568e5d4.tmp
Filesize
1KB

MD5
c134aa85d2c8a359a19e0ff54e952585

SHA1
60f5d6e0b0cba05d6198a2fd726298d8b2bbbee8

SHA256
28b73b609f35f0b496358c0ba82eb8bdd3b1327df7d48cb23f21b13b6d84446d

SHA512
f36757aa4312aa0ffed720f0793f60e22846bbe24758a9531f61bdc6d2f75c97f0df18f901707298646973b07bdc9876189d2713da20982142a3db178bc4d087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9099e1cedc0b7cde786825b077d7bed6

SHA1
f2994c0c709755ff8e5a5b6701843ee8a70e9808

SHA256
33b0c7e4c45414e5aa46e2e8ef1aaf59b6f38cd2296e8d502b3e95688f000c63

SHA512
c6b582f35e39aade5983cd9a9917199138f8410496f0e449002bb94cf0b1a421efbdcf76d04a03ec6c020d255aa37867b1f5a181efb2dd1dc4cb59ba79530940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
bd417ed18e0f1c89eb4fbe45e58aea98

SHA1
77a11869a1db90c0dc1fe0745059f1f2fc0e6e0e

SHA256
28fa500d8faf72d12e30bbf6ac9df305e5c9c2a9824b3ac3e57e7f022f4187d1

SHA512
5bf00c6d92240478ffd951fac9060ec32c324924a3e98192979ccea4aa8635496182562757f8562b7a894854bbab7c766b9422a774062a1b8151227d2c2896f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4970919bf675b2d3e126e1cda6ec4da1

SHA1
0c74ab79b6707292114353dc7e7f1f7f5f405f0a

SHA256
70b07ed0b8e4e0428ec4215e8eeb4ac71f73d499ddc4989cf4ce5a8fd605d52d

SHA512
c1ec3d99f8d9b17716959821ca805d97fa82ce8b46f5cdc5284208ebe5f177e799204e2ed965659655fc8dd5405f87e83502b7a0d3c34161b4e0c0f83d46052e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\Microsoft.Win32.TaskScheduler.dll
Filesize
340KB

MD5
87d7fb0770406bc9b4dc292fa9e1e116

SHA1
6c2d9d5e290df29cf4d95a4564da541489a92511

SHA256
aaeb1eacbdaeb5425fd4b5c28ce2fd3714f065756664fa9f812afdc367fbbb46

SHA512
25f7c875899c1f0b67f1ecee82fe436b54c9a615f3e26a6bec6233eb37f27ca09ae5ce7cf3df9c3902207e1d5ddd394be21a7b20608adb0f730128be978bec9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\UnifiedStub-installer.exe
Filesize
1.1MB

MD5
c7fe1eb6a82b9ffaaf8dca0d86def7ca

SHA1
3cd3d6592bbe9c06d51589e483cce814bab095ee

SHA256
61d225eefb7d7af3519a7e251217a7f803a07a6ddf42c278417c140b15d04b0b

SHA512
348a48b41c2978e48ddbeb8b46ad63ef7dde805a5998f1730594899792462762a9eee6e4fe474389923d6b995eca6518c58563f9d1765087b7ac05ce2d91c096

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\b305ebd0-247d-4062-b035-cbbb6c69e5b9\UnifiedStub-installer.exe\assembly\dl3\4b2b25bf\7c827738_bfcbda01\rsServiceController.DLL
Filesize
175KB

MD5
3c11f1f4ab1b51e92af5210a25cb1a98

SHA1
f34e01f036d6279cb99ad36b7ad4f93875055ef1

SHA256
aadf52eefbc4330a9af62a2554635bc4f6d9503e0689ba86ee56c194b34d6382

SHA512
f872d8ec41c38e2c6527e4dd5285f7f877fe0714e94fde304f62b37b6f300d5bae38943df0c62dfa829886b0adbed01f6af14bdb8353ff6fdf73acedeb5ffcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\b305ebd0-247d-4062-b035-cbbb6c69e5b9\UnifiedStub-installer.exe\assembly\dl3\659ebbb0\034a6d38_bfcbda01\rsAtom.DLL
Filesize
158KB

MD5
f2c6d0704191203c591b7257beff2d57

SHA1
0f8e468f8c26b71c5162b33caa812fa48bac8dd6

SHA256
ea791c403f402fbe8763d1adbb3a317463562a42757aa74d96505f2a4997585e

SHA512
2637921c04e98b14085778f85716e92efb76f9a50a0a9c1793b0310043ad60413642199e49f72eccdb4d2cbdbaeccf87ed83bd49976e6409b10916ef0218be08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\b305ebd0-247d-4062-b035-cbbb6c69e5b9\UnifiedStub-installer.exe\assembly\dl3\b1b7c758\e6717638_bfcbda01\rsLogger.DLL
Filesize
179KB

MD5
683e19faf979c5ab2ae5919f0b3d1485

SHA1
8453dbc5029e96e4c42cf96b327aef987b15b9e8

SHA256
60834a138a215289237b1f99c05489e7bda8e8c4357ef8e96d7914ef270e5ca8

SHA512
0b3764b1fe3b7fe10f7b78243f5a91c8563816eb19dad8d06e31dcaf6898ecfce667fe2585cff4dacc2a2650cd09428b5e4f2ff58baa54855e9749dc4f5d44f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\b305ebd0-247d-4062-b035-cbbb6c69e5b9\UnifiedStub-installer.exe\assembly\dl3\ef7242da\1d237638_bfcbda01\rsJSON.DLL
Filesize
219KB

MD5
8740daedb5e9ab8a48389ee3088a9c16

SHA1
4d821d8523ee72ebe2cd3e74e3c0cdcea7038d92

SHA256
8c0123b38ef50dc9aa0cb7c56028ae9c031425ab812ee0b56ff396c35b7af95a

SHA512
e847f7bd7c02662196b1bdbbd1073e21bb185c4a2d19c351b643de80c3efca661c126f9ebd834373d1baf56e8a67d03ce9624132d35f4a8deeec00d4a3236b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\rsAtom.dll
Filesize
156KB

MD5
f5cf4f3e8deddc2bf3967b6bff3e4499

SHA1
0b236042602a645c5068f44f8fcbcc000c673bfe

SHA256
9d31024a76dcad5e2b39810dff530450ee5a1b3ecbc08c72523e6e7ea7365a0b

SHA512
48905a9ff4a2ec31a605030485925a8048e7b79ad3319391bc248f8f022813801d82eb2ff9900ebcb82812f16d89fdff767efa3d087303df07c6c66d2dcb2473

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\rsJSON.dll
Filesize
217KB

MD5
927934736c03a05209cb3dcc575daf6a

SHA1
a95562897311122bb451791d6e4749bf49d8275f

SHA256
589c228e22dab9b848a9bd91292394e3bef327d16b4c8fdd1cc37133eb7d2da7

SHA512
12d4a116aee39eb53a6be1078d4f56f0ebd9d88b8777c7bd5c0a549ab5cff1db7f963914552ef0a68ff1096b1e1dc0f378f2d7e03ff97d2850ca6b766c4d6683

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\rsLogger.dll
Filesize
176KB

MD5
f55948a2538a1ab3f6edfeefba1a68ad

SHA1
a0f4827983f1bf05da9825007b922c9f4d0b2920

SHA256
de487eda80e7f3bce9cd553bc2a766985e169c3a2cae9e31730644b8a2a4ad26

SHA512
e9b52a9f90baecb922c23df9c6925b231827b8a953479e13f098d5e2c0dabd67263eeeced9a304a80b597010b863055f16196e0923922fef2a63eb000cff04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\rsStubLib.dll
Filesize
255KB

MD5
fa4e3d9b299da1abc5f33f1fb00bfa4f

SHA1
9919b46034b9eff849af8b34bc48aa39fb5b6386

SHA256
9631939542e366730a9284a63f1d0d5459c77ec0b3d94de41196f719fc642a96

SHA512
d21cf55d6b537ef9882eacd737e153812c0990e6bdea44f5352dfe0b1320e530f89f150662e88db63bedf7f691a11d89f432a3c32c8a14d1eb5fc99387420680

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\rsSyncSvc.exe
Filesize
795KB

MD5
cc7167823d2d6d25e121fc437ae6a596

SHA1
559c334cd3986879947653b7b37e139e0c3c6262

SHA256
6138d9ea038014b293dac1c8fde8c0d051c0435c72cd6e7df08b2f095b27d916

SHA512
d4945c528e4687af03b40c27f29b3cbf1a8d1daf0ee7de10cd0cb19288b7bc47fae979e1462b3fa03692bf67da51ab6fa562eb0e30b73e55828f3735bbfffa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4E24D728\uninstall-epp.exe
Filesize
324KB

MD5
8157d03d4cd74d7df9f49555a04f4272

SHA1
eae3dad1a3794c884fae0d92b101f55393153f4e

SHA256
cdf775b4d83864b071dbcfeed6d5da930a9f065919d195bb801b6ffaf9645b74

SHA512
64a764068810a49a8d3191bc534cd6d7031e636ae306d2204af478b35d102012d8c7e502ed31af88280689012dc8e6afd3f7b2a1fe1e25da6142388713b67fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\epli0zih.exe
Filesize
2.3MB

MD5
0ef440371f08cbed3c869d245f674e0b

SHA1
231f4c58d7d859f3e2f1fff66de275c214a4b39b

SHA256
bb6d67680bc703c3f4cc78933bd7463a1943045b8b73a19d04b024695384a54d

SHA512
c27616477f8ca172f01ed8cb0ef537aba424c4ee42a9776fa0ce32cb62909ecf9c906c7972c4e03a62ebc990528d6be476dc775c905d40532a9386e3c84dfc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\RAV_Cross.png
Filesize
56KB

MD5
4167c79312b27c8002cbeea023fe8cb5

SHA1
fda8a34c9eba906993a336d01557801a68ac6681

SHA256
c3bf350627b842bed55e6a72ab53da15719b4f33c267a6a132cb99ff6afe3cd8

SHA512
4815746e5e30cbef626228601f957d993752a3d45130feeda335690b7d21ed3d6d6a6dc0ad68a1d5ba584b05791053a4fc7e9ac7b64abd47feaa8d3b919353bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\WebAdvisor.png
Filesize
46KB

MD5
5fd73821f3f097d177009d88dfd33605

SHA1
1bacbbfe59727fa26ffa261fb8002f4b70a7e653

SHA256
a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

SHA512
1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component0.exe
Filesize
32KB

MD5
a697e7f74e253067cf15b21de1771868

SHA1
d6e7d3d8065a94bb87c323eef2a9e039168bd48d

SHA256
8eb712bc7bf6602b8722b4f0f8edf233d42eab5df44975424fc065ee0dc0214d

SHA512
12ae7dafb0cf8323ccf68ea0a95ab836b00f31e6ffafd43e6bbf46ec25e389d1af3eac3bc6b406c5670093a2693a96753479fed2d53d63f9e66d101a9bff2a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1.zip
Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\installer.exe
Filesize
28.1MB

MD5
8d6d7d2b4b15a56c187288485d57f2a3

SHA1
06980d9bb48deb03fcc34734d45a12a7e73a174e

SHA256
eeed21499b9903b7d8d09392db96475c432ada134afc8ac68099bcf4238dae05

SHA512
e6c3a2d2e956ff8cba77b824e1e9daeb25bce8350c85bd26f5184d5ce9d08e0c76bbdb3772e671a87eb50daeaa45966064cce09374bd6b68985bac90dfefd41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\component1_extract\saBSI.exe
Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\mainlogo.png
Filesize
2KB

MD5
18203f28d86aacd56e7a0445784e4c8c

SHA1
00c7b9cf991b1dc4c05bfc9bd7d02e43d89e5a48

SHA256
c175b1f46cbb8ab31e34011b35202884503ba31ece2e236c36fec8b6c2bd25f9

SHA512
00c99a38030bbb996c134b7c857c953f042212f1cbe32a4f08be3797e5d08292ccd6cff681da76ee85f75220c27b3a53c428281371a45bbfc1380742ae0e957e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELBL.tmp\v_in_black_circle.png
Filesize
1KB

MD5
a0f78df30ebc15bda8858e4c490a5eb1

SHA1
07140fdad7c7415fbb23461e243d7b576eb08749

SHA256
0c679e463254ec4652917110ca1387fb3663d464e4bd792d97c2d853e156d900

SHA512
f5539152f7faf5fa3505a2ebd1ccbe3145ee46564b814549a96b63f385a73b7e69176ca853d07adef386ea0cc7c0cea4989c74bd4334997b389d85a2f8db1508

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M1U8K.tmp\winrar-64-6.21-installer_AmGAP-1.tmp
Filesize
3.1MB

MD5
2c3299a97aaf7b14c4bc0145186a5851

SHA1
254fe53fb4e38ebed5f7f4c7edecd8fa295a9d85

SHA256
ca7d4bf7ea7e7a1f3ea77b885e3402d1040ad4473db3279f59376e52a980cba2

SHA512
53d0b0618ff8b1ecc3fdab140496e5268be9d922431625ee13ac315889e54cca3233608352cd4ae115d0e7559b60b642f8c1053eb6143ab660207f9e7fe1ed5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwa3302.tmp
Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 322881.crdownload
Filesize
1.7MB

MD5
e5e01f0d3b7781d3bf30a9b93a8272cc

SHA1
01027b81bf4b0587337d89635d500c5ba129d7a4

SHA256
ce144cae653be70d139d2e98feeaa9b1042ca04f313bb4d6ddea7215f8b21f31

SHA512
f31df11e71282926d98f65403eaf29dc7537e23a355bba519a9eda7e315dbc7605c2f2e1f8e28c801034be00f150cb58375e591f4fe422cd8bc9a56a547a7eb2

Download Submit
C:\Users\Admin\Downloads\winrar-64-6.21-installer.exe
Filesize
188KB

MD5
35e590ff773caadc65f8744b965b95e6

SHA1
fff08ca4ec34f19bf7087dfd2ffe340b47c4dcc0

SHA256
29098d3eea184f68362d12338d78b18d7c4f9e0ff2b46f02470bfb2e00d6c6ce

SHA512
7633c941eb6e2cee950f6ac157266d0fc1507bc3298a3374653da1bb2c33a3a8a063c7e681484f6f3f3884be27d518ff1c57633c5baa8d505345eed19b6f7669

Download Submit
memory/804-232-0x00000222853A0000-0x00000222854B0000-memory.dmp

Filesize
1.1MB

Download
memory/804-4882-0x00000222A0CA0000-0x00000222A0CD0000-memory.dmp

Filesize
192KB

Download
memory/804-4927-0x00000222A0E60000-0x00000222A0E8E000-memory.dmp

Filesize
184KB

Download
memory/804-240-0x00000222A0600000-0x00000222A062A000-memory.dmp

Filesize
168KB

Download
memory/804-3234-0x00000222A0C40000-0x00000222A0C96000-memory.dmp

Filesize
344KB

Download
memory/804-4905-0x00000222A0CA0000-0x00000222A0CCA000-memory.dmp

Filesize
168KB

Download
memory/804-236-0x00000222858E0000-0x0000022285910000-memory.dmp

Filesize
192KB

Download
memory/804-234-0x0000022287110000-0x0000022287152000-memory.dmp

Filesize
264KB

Download
memory/804-246-0x00000222A0BE0000-0x00000222A0C38000-memory.dmp

Filesize
352KB

Download
memory/804-4862-0x00000222A0CA0000-0x00000222A0CDA000-memory.dmp

Filesize
232KB

Download
memory/804-238-0x00000222871C0000-0x00000222871FA000-memory.dmp

Filesize
232KB

Download
memory/872-427-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-420-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-430-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-424-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-438-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-439-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-441-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-446-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-448-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-458-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-459-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-461-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-460-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-464-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-465-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-466-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-467-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-469-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-470-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-474-0x00007FF7C3530000-0x00007FF7C3540000-memory.dmp

Filesize
64KB

Download
memory/872-481-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-497-0x00007FF7A8A00000-0x00007FF7A8A10000-memory.dmp

Filesize
64KB

Download
memory/872-505-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-507-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-516-0x00007FF7BED90000-0x00007FF7BEDA0000-memory.dmp

Filesize
64KB

Download
memory/872-534-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-542-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-560-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-562-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-588-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-597-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-598-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-601-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-618-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-622-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-422-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-421-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-419-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-431-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-626-0x00007FF7DC200000-0x00007FF7DC210000-memory.dmp

Filesize
64KB

Download
memory/872-434-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-450-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-462-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-463-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-628-0x00007FF790D90000-0x00007FF790DA0000-memory.dmp

Filesize
64KB

Download
memory/872-563-0x00007FF7B0C20000-0x00007FF7B0C30000-memory.dmp

Filesize
64KB

Download
memory/872-476-0x00007FF7C3530000-0x00007FF7C3540000-memory.dmp

Filesize
64KB

Download
memory/872-471-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/872-468-0x00007FF7E2B20000-0x00007FF7E2B30000-memory.dmp

Filesize
64KB

Download
memory/2164-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2164-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2164-26-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2800-64-0x00007FF9C9373000-0x00007FF9C9375000-memory.dmp

Filesize
8KB

Download
memory/2800-2196-0x00007FF9C9373000-0x00007FF9C9375000-memory.dmp

Filesize
8KB

Download
memory/2800-65-0x000002A8A0190000-0x000002A8A0198000-memory.dmp

Filesize
32KB

Download
memory/2800-66-0x000002A8BAC60000-0x000002A8BB188000-memory.dmp

Filesize
5.2MB

Download
memory/3696-28-0x0000000004E50000-0x0000000004E5F000-memory.dmp

Filesize
60KB

Download
memory/3696-20-0x0000000004E50000-0x0000000004E5F000-memory.dmp

Filesize
60KB

Download
memory/3696-2034-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3696-6-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3696-46-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3696-47-0x0000000004E50000-0x0000000004E5F000-memory.dmp

Filesize
60KB

Download
memory/3696-37-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3696-38-0x0000000004E50000-0x0000000004E5F000-memory.dmp

Filesize
60KB

Download
memory/3696-27-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/7028-4955-0x000002B0B1F50000-0x000002B0B1F7E000-memory.dmp

Filesize
184KB

Download
memory/7028-4956-0x000002B0B1F50000-0x000002B0B1F7E000-memory.dmp

Filesize
184KB

Download
memory/7028-4969-0x000002B0B23E0000-0x000002B0B23F2000-memory.dmp

Filesize
72KB

Download
memory/7028-4970-0x000002B0B2450000-0x000002B0B248C000-memory.dmp

Filesize
240KB

Download
memory/7648-4996-0x000001A4C0C90000-0x000001A4C0CAA000-memory.dmp

Filesize
104KB

Download
memory/7648-4995-0x000001A4D9C10000-0x000001A4D9D8C000-memory.dmp

Filesize
1.5MB

Download
memory/7648-4994-0x000001A4D98A0000-0x000001A4D9C06000-memory.dmp

Filesize
3.4MB

Download
memory/7648-4997-0x000001A4C0E10000-0x000001A4C0E32000-memory.dmp

Filesize
136KB

Download